`
If you disable or don’t configure this setting, your default Home page is the webpage specified in App settings. |**Enabled:** Configure your Home pages. If you use this option, you must also include site URLs.
**Disabled or not configured (default):** Uses the Home pages and URLs specified in the App settings. | -|Configure Password Manager |Windows 10 or later |This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on.
If you enable this setting, employees can use Password Manager to save their passwords locally.
If you disable this setting, employees can’t use Password Manager to save their passwords locally.
If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally. |**Not configured:** Employees can choose whether to use Password Manager.
**Enabled (default):** Employees can use Password Manager to save passwords locally.
**Disabled:** Employees can't use Password Manager to save passwords locally. | -|Configure Pop-up Blocker |Windows 10 or later |This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.
If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing.
If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear.
If you don’t configure this setting, employees can choose whether to use Pop-up Blocker. |**Enabled or not configured (default):** Turns on Pop-up Blocker, stopping pop-up windows.
**Disabled:** Turns off Pop-up Blocker, allowing pop-up windows. | -|Configure search suggestions in Address bar |Windows 10 or later |This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge.
If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge.
If you don’t configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. |**Not configured (default):** Employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
**Enabled:** Employees can see search suggestions in the Address bar of Microsoft Edge.
**Disabled:** Employees can’t see search suggestions in the Address bar of Microsoft Edge. | -|Configure SmartScreen Filter |Windows 10 or later |This policy setting lets you configure whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, SmartScreen Filter is turned on.
If you enable this setting, SmartScreen Filter is turned on and employees can’t turn it off.
If you disable this setting, SmartScreen Filter is turned off and employees can’t turn it on.
If you don’t configure this setting, employees can choose whether to use SmartScreen Filter. |**Not configured (default):** Employees can choose whether to use SmartScreen Filter.
**Enabled:** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.
**Disabled:** Turns off SmartScreen Filter. | -|Configure the Enterprise Mode Site List |Windows 10 or later| This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.
If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode.
If you disable or don’t configure this setting, Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps.
**Note**
If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.|**Enabled:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured.
If you use this option, you must also add the location to your site list in the `{URI}` box. When configured, any site on the list will always open in Internet Explorer 11.
**Disabled or not configured (default):** You won't be able to use the Enterprise Mode Site List.| -|Prevent access to the about:flags page |Windows 10, Version 1607 or later|This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.
If you enable this policy setting, employees can’t access the about:flags page.
If you disable or don’t configure this setting, employees can access the about:flags page. |**Enabled:** Stops employees from using the about:flags page.
**Disabled or not configured (default):** Lets employees use the about:flags page. | -|Prevent bypassing SmartScreen prompts for files |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files.
If you enable this setting, employees can’t ignore SmartScreen Filter warnings and they’re blocked from downloading the unverified files.
If you disable or don’t configure this setting, employees can ignore SmartScreen Filter warnings and continue the download process. |**Enabled:** Stops employees from ignoring the SmartScreen Filter warnings about unverified files.
**Disabled or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about unverified files and lets them continue the download process. | -|Prevent bypassing SmartScreen prompts for sites |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites.
If you enable this setting, employees can’t ignore SmartScreen Filter warnings and they’re blocked from continuing to the site.
If you disable or don’t configure this setting, employees can ignore SmartScreen Filter warnings and continue to the site. |**Enabled:** Stops employees from ignoring the SmartScreen Filter warnings about potentially malicious sites.
**Disabled or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about potentially malicious sites and continue to the site. | -|Prevent using Localhost IP address for WebRTC |Windows 10, Version 1511 or later |This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off.
If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol.
If you disable or don’t configure this setting, Localhost IP addresses are shown while making calls using the WebRTC protocol. |**Enabled:** Hides the Localhost IP address during calls using the WebRTC protocol.
**Disabled or not configured (default):** Shows the Localhost IP address during phone calls using the WebRTC protocol. | -|Send all intranet sites to Internet Explorer 11 |Windows 10 or later |This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.
If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11.
If you disable or don’t configure this setting, all websites, including intranet sites, are automatically opened using Microsoft Edge. |**Enabled:** Automatically opens all intranet sites using Internet Explorer 11.
**Disabled or not configured (default):** Automatically opens all websites, including intranet sites, using Microsoft Edge. | -|Show message when opening sites in Internet Explorer |Windows 10, Version 1607 and later |This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
If you disable or don’t configure this setting, the default app behavior occurs and no additional page appears. |**Enabled:** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
**Disabled or not configured (default):** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. | +|Allow Address bar drop-down list suggestions|Windows 10, Windows Insider Program|This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
**Note**
Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting.
If you enable or don't configure this setting, employees can see the Address bar drop-down functionality in Microsoft Edge.
If you disable this setting, employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type".|**Enabled or not configured (default):** Employees can see the Address bar drop-down functionality in Microsoft Edge.
**Disabled:** Employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type".| +|Allow Adobe Flash|Windows 10 or later|This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
If you enable or don't configure this setting, employees can use Adobe Flash.
If you disable this setting, employees can't use Adobe Flash.|**Enabled or not configured (default):** Employees use Adobe Flash in Microsoft Edge.
**Disabled:** Employees can’t use Adobe Flash.| +|Allow clearing browsing data on exit|Windows 10, Windows Insider Program|This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes.
If you enable this policy setting, clearing browsing history on exit is turned on.
If you disable or don't configure this policy setting, it can be turned on and configured by the employee in the Clear browsing data options area, under Settings.|**Enabled:** Turns on the automatic clearing of browsing data when Microsoft Edge closes.
**Disabled or not configured (default):** Employees can turn on and configure whether to automatically clear browsing data when Microsoft Edge closes in the Clear browsing data options area under Settings.| +|Allow Developer Tools|Windows 10, Version 1511 or later|This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.
If you enable or don’t configure this setting, the F12 Developer Tools are available in Microsoft Edge.
If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge.|**Enabled or not configured (default):** Shows the F12 Developer Tools on Microsoft Edge.
**Disabled:** Hides the F12 Developer Tools on Microsoft Edge.| +|Allow Extensions|Windows 10, Version 1607 or later|This policy setting lets you decide whether employees can use Edge Extensions.
If you enable or don’t configure this setting, employees can use Edge Extensions.
If you disable this setting, employees can’t use Edge Extensions.|**Enabled or not configured:** Lets employees use Edge Extensions.
**Disabled:** Stops employees from using Edge Extensions.| +|Allow InPrivate browsing|Windows 10, Version 1511 or later|This policy setting lets you decide whether employees can browse using InPrivate website browsing.
If you enable or don’t configure this setting, employees can use InPrivate website browsing.
If you disable this setting, employees can’t use InPrivate website browsing.|**Enabled or not configured (default):** Lets employees use InPrivate website browsing.
**Disabled:** Stops employees from using InPrivate website browsing.| +|Allow Microsoft Compatibility List|Windows 10, Version 1607 or later|This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat.
If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly.
If you disable this setting, the Microsoft Compatibility List isn’t used during browser navigation.|**Enabled or not configured (default):** Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly.
**Disabled:** Microsoft Edge doesn’t use the Microsoft Compatibility List during browser navigation.| +|Allow search engine customization|Windows 10, Windows Insider Program|This policy setting lets you decide whether users can change their search engine.
**Important**
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
If you enable or don't configure this policy, users can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings.
If you disable this setting, users can't add search engines or change the default used in the address bar.|**Enabled or not configured (default):** Employees can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings.
**Disabled:** Employees can't add search engines or change the default used in the Address bar.| +|Allow web content on New Tab page|Windows 10 or later|This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it.
If you enable this setting, Microsoft Edge opens a new tab with the New Tab page.
If you disable this setting, Microsoft Edge opens a new tab with a blank page.
If you don’t configure this setting, employees can choose how new tabs appears.|**Not configured (default):** Employees see web content on New Tab page, but can change it.
**Enabled:** Employees see web content on New Tab page.
**Disabled:** Employees always see an empty new tab.| +|Configure additional search engines|Windows 10, Windows Insider Program|This policy setting lets you add up to 5 additional search engines, which can't be removed by your employees, but can be made a personal default engine. This setting doesn't set the default search engine. For that, you must use the "Set default search engine" setting.
**Important**
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
If you enable this setting, you can add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. Use this format to specify the link(s) you wish to add: If you disable this setting, any added search engines are removed from your employee's devices. If you don't configure this setting, the search engine list is set to what is specified in App settings.|**Enabled:** Add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. **Disabled (default):** Any additional search engines are removed from your employee's devices. **Not configured:** Search engine list is set to what is specified in App settings.|
+|Configure Autofill|Windows 10 or later|This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill. If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge. If you disable this setting, employees can’t use Autofill to automatically fill in forms while using Microsoft Edge. If you don’t configure this setting, employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge.|**Not configured (default):** Employees can choose to turn Autofill on or off. **Enabled:** Employees can use Autofill to complete form fields. **Disabled:** Employees can’t use Autofill to complete form fields.|
+|Configure cookies|Windows 10 or later|This setting lets you configure how to work with cookies. If you enable this setting, you must also decide whether to: If you disable or don't configure this setting, all cookies are allowed from all sites.|**Enabled:** Lets you decide how your company treats cookies. **Disabled or not configured:** All cookies are allowed from all sites.|
+|Configure Do Not Track|Windows 10 or later|This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren’t sent, but employees can choose to turn on and send requests. If you enable this setting, Do Not Track requests are always sent to websites asking for tracking info. If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info. If you don’t configure this setting, employees can choose whether to send Do Not Track requests to websites asking for tracking info.|**Not configured (default):** Employees can choose to send Do Not Track headers on or off. **Enabled:** Employees can send Do Not Track requests to websites requesting tracking info. **Disabled:** Employees can’t send Do Not Track requests to websites requesting tracking info.|
+|Configure Favorites|Windows 10, Version 1511 or later|This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time. If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed. If you disable or don’t configure this setting, employees will see the Favorites that they set in the Favorites hub.|**Enabled:** Configure the default list of Favorites for your employees. If you use this option, you must also add the URLs to the sites. **Disabled or not configured:** Uses the Favorites list and URLs specified in the Favorites hub.|
+|Configure Password Manager|Windows 10 or later|This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on. If you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting, employees can’t use Password Manager to save their passwords locally. If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally.|**Not configured:** Employees can choose whether to use Password Manager. **Enabled (default):** Employees can use Password Manager to save passwords locally. **Disabled:** Employees can't use Password Manager to save passwords locally.|
+|Configure Pop-up Blocker|Windows 10 or later|This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on. If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing. If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear. If you don’t configure this setting, employees can choose whether to use Pop-up Blocker.|**Enabled or not configured (default):** Turns on Pop-up Blocker, stopping pop-up windows. **Disabled:** Turns off Pop-up Blocker, allowing pop-up windows.|
+|Configure search suggestions in Address bar|Windows 10 or later|This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge. If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge. If you don’t configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.|**Not configured (default):** Employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. **Enabled:** Employees can see search suggestions in the Address bar of Microsoft Edge. **Disabled:** Employees can’t see search suggestions in the Address bar of Microsoft Edge.|
+|Configure Start pages|Windows 10, Version 1511 or later|This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees won't be able to change this after you set it. If you enable this setting, you can configure one or more Start pages. If this setting is enabled, you must also include URLs to the pages, separating multiple pages by using angle brackets in this format: If you disable or don’t configure this setting, your default Start page is the webpage specified in App settings.|**Enabled:** Configure your Start pages. If you use this option, you must also include site URLs. **Disabled or not configured (default):** Uses the Home pages and URLs specified in the App settings.|
+|Configure the Adobe Flash Click-to-Run setting|Windows 10, Windows Insider Program|This policy setting lets you decide whether employees must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. If you enable or don’t configure the Adobe Flash Click-to-Run setting, an employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. **Important** If you disable this setting, Adobe Flash content is automatically loaded and run by Microsoft Edge.|**Enabled or not configured:** An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. **Disabled:** Adobe Flash content is automatically loaded and run by Microsoft Edge.|
+|Configure the Enterprise Mode Site List|Windows 10 or later|This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps. If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. If you disable or don’t configure this setting, Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. **Note** If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.|**Enabled:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured. If you use this option, you must also add the location to your site list in the `{URI}` box. When configured, any site on the list will always open in Internet Explorer 11. **Disabled or not configured (default):** You won't be able to use the Enterprise Mode Site List.|
+|Configure Windows Defender SmartScreen|Windows 10 or later|This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. If you enable this setting, Windows Defender SmartScreen is turned on and employees can’t turn it off. If you disable this setting, Windows Defender SmartScreen is turned off and employees can’t turn it on. If you don’t configure this setting, employees can choose whether to use Windows Defender SmartScreen.|**Not configured (default):** Employees can choose whether to use Windows Defender SmartScreen. **Enabled:** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software. **Disabled:** Turns off Windows Defender SmartScreen.|
+|Disable lockdown of Start pages|Windows 10, Windows Insider Program|This policy setting lets you disable the lock down of Start pages, letting employees modify the Start pages when the "Configure Start pages" setting is in effect. **Note** **Important** If you enable this setting, you can't lock down any Start pages that are configured using the "Configure Start pages" setting, which means that employees can modify them. If you disable or don't configure this setting, employees can't change any Start pages configured using the "Configure Start pages" setting, thereby locking down the Start pages.|**Enabled:** You’re unable to lock down any Start pages that are configured using the "Configure Start pages" setting, which means that your employees can modify them. **Disabled or not configured (default):** Employees can't change any Start pages configured using the "Configure Start pages" setting.|
+|Keep favorites in sync between Internet Explorer and Microsoft Edge|Windows 10, Windows Insider Program|This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge. If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge. If you disable or don't configure this setting, employees can’t sync their favorites between Internet Explorer and Microsoft Edge.|**Enabled:** Employees can sync their Favorites between Internet Explorer and Microsoft Edge. **Disabled or not configured (default):** Employees can’t sync their Favorites between Internet Explorer and Microsoft Edge.|
+|Prevent access to the about:flags page|Windows 10, Version 1607 or later|This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. If you enable this policy setting, employees can’t access the about:flags page. If you disable or don’t configure this setting, employees can access the about:flags page.|**Enabled:** Stops employees from using the about:flags page. **Disabled or not configured (default):** Lets employees use the about:flags page.|
+|Prevent bypassing Windows Defender SmartScreen prompts for files|Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from downloading the unverified files. If you disable or don’t configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue the download process.|**Enabled:** Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files. **Disabled or not configured (default):** Lets employees ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process.|
+|Prevent bypassing Windows Defender SmartScreen prompts for sites|Windows 10, Version 1511 or later|This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from continuing to the site. If you disable or don’t configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue to the site.|**Enabled:** Stops employees from ignoring the Windows Defender SmartScreen warnings about potentially malicious sites. **Disabled or not configured (default):** Lets employees ignore the Windows Defender SmartScreen warnings about potentially malicious sites and continue to the site.|
+|Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start|Windows 10, Windows Insider Program|This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. If you enable this setting, Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu. If you disable or don't configure this setting, Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu.|**Enabled:** Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu. **Disabled or not configured (default):** Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu.|
+|Prevent the First Run webpage from opening on Microsoft Edge|Windows 10, Windows Insider Program|This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time. If you enable this setting, employees won't see the First Run page when opening Microsoft Edge for the first time. If you disable or don't configure this setting, employees will see the First Run page when opening Microsoft Edge for the first time.|**Enabled:** Employees won't see the First Run page when opening Microsoft Edge for the first time. **Disabled or not configured (default):** Employees will see the First Run page when opening Microsoft Edge for the first time.|
+|Prevent using Localhost IP address for WebRTC|Windows 10, Version 1511 or later|This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off. If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol. If you disable or don’t configure this setting, Localhost IP addresses are shown while making calls using the WebRTC protocol.|**Enabled:** Hides the Localhost IP address during calls using the WebRTC protocol. **Disabled or not configured (default):** Shows the Localhost IP address during phone calls using the WebRTC protocol.|
+|Send all intranet sites to Internet Explorer 11|Windows 10 or later|This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11. If you disable or don’t configure this setting, all websites, including intranet sites, are automatically opened using Microsoft Edge.|**Enabled:** Automatically opens all intranet sites using Internet Explorer 11. **Disabled or not configured (default):** Automatically opens all websites, including intranet sites, using Microsoft Edge.|
+|Set default search engine|Windows 10, Windows Insider Program|This policy setting lets you configure the default search engine for your employees. Employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes. **Important** If you enable this setting, you can choose a default search engine for your employees. If this setting is enabled, you must also add the default engine to the “Set default search engine” setting, by adding a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. Use this format to specify the link you wish to add: **Note** If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market. If you don't configure this setting, the default search engine is set to the one specified in App settings.|**Enabled:** You can choose a default search engine for your employees. **Disabled:** The policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market. **Not configured (default):** The default search engine is set to the one specified in App settings.|
+|Show message when opening sites in Internet Explorer|Windows 10, Version 1607 and later|This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. If you disable or don’t configure this setting, the default app behavior occurs and no additional page appears.|**Enabled:** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. **Disabled or not configured (default):** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.|
-## Using Microsoft Intune to manage your Mobile Data Management (MDM) settings for Microsoft Edge
+## Using Microsoft Intune to manage your Mobile Data Management (MDM) settings for Microsoft Edge
If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page.
-> **Note** **Note** If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. **Example:** **Note** **Example:** **Example:** **Note** If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. **Example:** **Note** **Example:** **Example:** **Disabled:** Stops employees from using Cortana on their devices. **Note** Employees can still perform searches even with Cortana turned off. |
-|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync |Whether employees can use the **Sync your Settings** options to sync their settings to and from their device. |**Enabled:** Turns off the **Sync your Settings** options and none of the **Sync your Setting** groups are synced on the device. You can use the **Allow users to turn syncing on** option to turn the feature off by default, but to let the employee change this setting. **Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting employees pick what can sync on their device. |
-|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync browser settings |Whether a browser group can use the **Sync your Settings** options to sync their info to and from their device. This includes settings and info like **History** and Favorites. |**Enabled:** Turns off the **Sync your Settings** options so that browser groups are unable to sync their settings and info. You can use the **Allow users to turn browser syncing on** option to turn the feature off by default, but to let the employee change this setting. **Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting browser groups pick what can sync on their device. |
+|Group Policy setting|Description|Options|
+|--------------------|--------------|---------|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Whether employees can use Cortana.|**Enabled or not configured:** Employees can use Cortana on their devices. **Disabled:** Stops employees from using Cortana on their devices. **Note** Employees can still perform searches even with Cortana turned off.|
+|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync|Whether employees can use the **Sync your Settings** options to sync their settings to and from their device.|**Enabled:** Turns off the **Sync your Settings** options and none of the **Sync your Setting** groups are synced on the device. You can use the **Allow users to turn syncing on** option to turn the feature off by default, but to let the employee change this setting. **Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting employees pick what can sync on their device.|
+|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync browser settings|Whether a browser group can use the **Sync your Settings** options to sync their info to and from their device. This includes settings and info like **History** and Favorites.|**Enabled:** Turns off the **Sync your Settings** options so that browser groups are unable to sync their settings and info. You can use the **Allow users to turn browser syncing on** option to turn the feature off by default, but to let the employee change this setting. **Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting browser groups pick what can sync on their device.|
## Microsoft Edge and Windows 10-specific MDM policy settings
These are additional Windows 10-specific MDM policy settings that work with Microsoft Edge.
-|MDM Policy name |Supports |Details |
-|----------------|--------------|------------------- |
-|AllowCortana |Both | Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10. Microsoft HoloLens is available in the **Development Edition**, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the **Commercial Suite**, which runs Windows Holographic Enterprise when you apply the Enterprise license file to the device. Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10. Microsoft HoloLens is available in the **Development Edition**, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the **Commercial Suite**, which runs Windows Holographic for Business when you apply the Enterprise license file to the device. [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers. The Surface Hub's uses an Active Directory or Azure AD account (called a **device account**) to access Exchange and Skype for Business services. The Surface Hub must be able to connect to your Active Directory domain controller or to your Azure AD tenant in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address. Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join. In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. **Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address. In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. **Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address. 5 50 S0 Ready
-[Windows 10 editions for education customers](windows-editions-for-education-customers.md) [Compare each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
-[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools) [Windows 10 editions for education customers](windows-editions-for-education-customers.md) [Compare each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) [Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
-[Provisioning options for Windows 10](set-up-windows-10.md)
+[Provisioning options for Windows 10](set-up-windows-10.md)
[Get Minecraft Education Edition](get-minecraft-for-education.md) [Take tests in Windows 10](take-tests-in-windows-10.md) [Chromebook migration guide](chromebook-migration-guide.md) [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
- [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
- [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) Try it out: Windows 10 deployment (for education) [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) Windows 8.1 deployment planning Windows 8.1 deployment to PCs BYOD Deploying Windows RT 8.1 Virtual Desktop Infrastructure Windows Store apps Windows To Go Packaging All of the Office applications that you want to deploy to users must be in a single package. In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer. If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project). If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office). Project Pro for Office 365 You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx). You don’t use shared computer activation if you’re deploying a volume licensed product, such as: Office Professional Plus 2016 Visio Professional 2016 Project Professional 2016 Product element Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications. Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.
+
+ For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297)
+ Language element Version (attribute of Add element) Optional. Specifies a build to use for the package Defaults to latest advertised build (as defined in v32.CAB at the Office source). SourcePath (attribute of Add element) Office 2016 ProPlusVolume O365ProPlusRetail Office 2016 with Visio 2016 ProPlusVolume VisioProVolume O365ProPlusRetail VisioProRetail Office 2016 with Visio 2016 and Project 2016 ProPlusVolume VisioProVolume ProjectProVolume O365ProPlusRetail VisioProRetail ProjectProRetail ProductID Specify the type of licensing, as shown in the following examples: Subscription Licensing Specify Subscription licensing, as shown in the following example: Volume Licensing In this example, the following changes were made to create a package with Volume licensing: SourcePath is the path, which was changed to point to the Office applications that were downloaded earlier. Product ID for Office was changed to Product ID for Visio was changed to ExcludeApp (optional) Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath. PACKAGEGUID (optional) By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server. An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users. Even if you use unique package IDs, you can still deploy only one App-V package to a single device. /packager creates the Office 2016 App-V package with Volume Licensing as specified in the customConfig.xml file. creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file. \\server\Office2016\Customconfig.xml How do I package and publish Visio 2016 and Project 2016 with Office? You must include Visio 2016 and Project 2016 in the same package with Office. If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow [Deploying Microsoft Office 2010 by Using App-V](../appv-v5/deploying-microsoft-office-2010-by-using-app-v.md). If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic. How can I deploy Visio 2016 and Project 2016 to specific users? [Planning for Using App-V with Office](planning-for-using-app-v-with-office51.md#bkmk-office-vers-supp-appv) [Supported versions of Microsoft Office](planning-for-using-app-v-with-office.md#bkmk-office-vers-supp-appv) Supported versions of Office Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI) [Planning for Using App-V with Office](planning-for-using-app-v-with-office51.md#bkmk-plan-coexisting) [Planning for Using App-V with coexsiting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting) Considerations for installing different versions of Office on the same computer Packaging All of the Office applications that you want to deploy to users must be in a single package. In App-V 5.1 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer. If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project). If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office). Project Pro for Office 365 You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx). You don’t use shared computer activation if you’re deploying a volume licensed product, such as: Office Professional Plus 2016 Visio Professional 2016 Project Professional 2016 Supported operating systems 64-bit version of Windows 10 64-bit version of Windows 8 or later 64-bit version of Windows 8 or 8.1 64-bit version of Windows 7 Product element Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications. Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.
+
+ For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297)
+ Language element SourcePath (attribute of Add element) Specifies the location in which the applications will be saved to. Branch (attribute of Add element) Optional. Specifies the update branch for the product that you want to download or install. For more information about update branches, see Overview of update branches for Office 365 ProPlus. Optional. Specifies the update branch for the product that you want to download or install. For more information about update branches, see Overview of update branches for Office 365 ProPlus. Office 2016 ProPlusVolume O365ProPlusRetail Office 2016 with Visio 2016 ProPlusVolume VisioProVolume O365ProPlusRetail VisioProRetail Office 2016 with Visio 2016 and Project 2016 ProPlusVolume VisioProVolume ProjectProVolume O365ProPlusRetail VisioProRetail ProjectProRetail ProductID Specify the type of licensing, as shown in the following examples: Subscription Licensing Specify Subscription licensing, as shown in the following example: Volume Licensing In this example, the following changes were made to create a package with Volume licensing: SourcePath is the path, which was changed to point to the Office applications that were downloaded earlier. Product ID for Office was changed to Product ID for Visio was changed to ExcludeApp (optional) Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access. Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath. PACKAGEGUID (optional) By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server. An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users. Even if you use unique package IDs, you can still deploy only one App-V package to a single device. /packager creates the Office 2016 App-V package with Volume Licensing as specified in the customConfig.xml file. creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file. \\server\Office2016\Customconfig.xml 64-bit Microsoft System Center 2012 R2 Configuration Manager 64-bit Microsoft System Center 2012 Configuration Manager SP1 Microsoft System Center Configuration Manager 2007 R2 or later SP1 or later 64-bit Although Configuration Manager 2007 R2 is 32 bit, you must install it and SQL Server on a 64-bit operating system in order to match the 64-bit MBAM software. Microsoft SQL Server 2014 Standard, Enterprise, or Datacenter SP1 64-bit Microsoft SQL Server 2014 Standard, Enterprise, or Datacenter 64-bit Microsoft SQL Server 2012 Microsoft SQL Server 2014 Standard, Enterprise, or Datacenter SP2 64-bit Microsoft SQL Server 2012 Microsoft SQL Server 2014 Standard, Enterprise, or Datacenter SP1 64-bit Microsoft SQL Server 2012 Standard, Enterprise, or Datacenter SP3 64-bit Microsoft SQL Server 2008 R2 Standard or Enterprise SP1, SP2, SP3 SP3 64-bit .NET Framework 4 or higher Windows 8 and Windows 8.1 Windows 8.1 Enterprise or Pro None 32-bit or 64-bit Windows PowerShell 3.0 or higher .NET Framework 4.5 Windows 10, pre-1607 verison Enterprise or Pro 32-bit or 64-bit Windows PowerShell 3.0 or higher .NET Framework 4.5 Windows Server 2016 Standard or Datacenter None 64-bit Windows PowerShell 3.0 or higher .NET Framework 4.5 .NET Framework 4.5 or higher Windows 10 Windows 10, pre-1607 version Only UE-V 2.1 SP1 supports Windows 10 Only UE-V 2.1 SP1 supports Windows 10, pre-1607 version Windows PowerShell 3.0 or higher .NET Framework 4.5 or higher Windows Server 2016 Standard or Datacenter None 64-bit Windows PowerShell 3.0 or higher .NET Framework 4.6 or higher 32-bit versions of Windows Vista X 64-bit versions of Windows Vista X 32-bit versions of Windows 7 X X If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under **Role Administration Tools\Hyper-V Management Tools**.
+
+### Download VHD and ISO files
+
+When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/) using your Microsoft account.
+
+1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory.
+
+ **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
+
+ After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.
+
+
+
+ Important: Notes: Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](https://go.microsoft.com/fwlink/p/?LinkId=626933). Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed -or- Token was not found in the Authorization header -or- Failed to read one or more objects -or- The request sent to the server was invalid. Not configured: Users can provision Windows Hello for Business, which encrypts their domain password. Enabled: Device provisions Windows Hello for Business using keys or certificates for all users. Disabled: Device does not provision Windows Hello for Business for any user. Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. Enabled: Windows Hello for Business will only be provisioned using TPM. Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. Not configured: Biometrics can be used as a gesture in place of a PIN. Enabled: Biometrics can be used as a gesture in place of a PIN. Disabled: Only a PIN can be used as a gesture. Not configured: Users must include a digit in their PIN. Enabled: Users must include a digit in their PIN. Disabled: Users cannot use digits in their PIN. Not configured: Users cannot use lowercase letters in their PIN. Enabled: Users must include at least one lowercase letter in their PIN. Disabled: Users cannot use lowercase letters in their PIN. Not configured: PIN length must be less than or equal to 127. Enabled: PIN length must be less than or equal to the number you specify. Disabled: PIN length must be less than or equal to 127. Not configured: PIN length must be greater than or equal to 4. Enabled: PIN length must be greater than or equal to the number you specify. Disabled: PIN length must be greater than or equal to 4. Not configured: PIN does not expire. Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0. Disabled: PIN does not expire. Not configured: Previous PINs are not stored. Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused. Disabled: Previous PINs are not stored. Not configured: Users cannot include a special character in their PIN. Enabled: Users must include at least one special character in their PIN. Disabled: Users cannot include a special character in their PIN. Not configured: Users cannot include an uppercase letter in their PIN. Enabled: Users must include at least one uppercase letter in their PIN. Disabled: Users cannot include an uppercase letter in their PIN. Use Phone Sign-in Not configured: Phone sign-in is disabled. Enabled: Users can use a portable, registered device as a companion device for desktop authentication. Disabled: Phone sign-in is disabled. True: Windows Hello for Business will be provisioned for all users on the device. False: Users will not be able to provision Windows Hello for Business. True: Windows Hello for Business will only be provisioned using TPM. False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. UseBiometrics True: Biometrics can be used as a gesture in place of a PIN for domain sign-in. False: Only a PIN can be used as a gesture for domain sign-in. FacialFeaturesUser EnhancedAntiSpoofing Not configured: users can choose whether to turn on enhanced anti-spoofing. True: Enhanced anti-spoofing is required on devices which support it. False: Users cannot turn on enhanced anti-spoofing. 1: Numbers are not allowed. 2: At least one number is required. 1: Lowercase letters are not allowed. 2: At least one lowercase letter is required. Maximum length that can be set is 127. Maximum length cannot be less than minimum setting. Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting. Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire.
+ Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.
+ 1: Special characters are not allowed. 2: At least one special character is required. 1: Uppercase letters are not allowed 2: At least one uppercase letter is required UseRemotePassport True: Phone sign-in is enabled. False: Phone sign-in is disabled. Not configured: Users can provision Windows Hello for Business, which encrypts their domain password. Enabled: Device provisions Windows Hello for Business using keys or certificates for all users. Disabled: Device does not provision Windows Hello for Business for any user. Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. Enabled: Windows Hello for Business will only be provisioned using TPM. Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. Not configured: Biometrics can be used as a gesture in place of a PIN. Enabled: Biometrics can be used as a gesture in place of a PIN. Disabled: Only a PIN can be used as a gesture. Not configured: Users must include a digit in their PIN. Enabled: Users must include a digit in their PIN. Disabled: Users cannot use digits in their PIN. Not configured: Users cannot use lowercase letters in their PIN. Enabled: Users must include at least one lowercase letter in their PIN. Disabled: Users cannot use lowercase letters in their PIN. Not configured: PIN length must be less than or equal to 127. Enabled: PIN length must be less than or equal to the number you specify. Disabled: PIN length must be less than or equal to 127. Not configured: PIN length must be greater than or equal to 4. Enabled: PIN length must be greater than or equal to the number you specify. Disabled: PIN length must be greater than or equal to 4. Not configured: PIN does not expire. Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0. Disabled: PIN does not expire. Not configured: Previous PINs are not stored. Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused. Disabled: Previous PINs are not stored. Not configured: Users cannot include a special character in their PIN. Enabled: Users must include at least one special character in their PIN. Disabled: Users cannot include a special character in their PIN. Not configured: Users cannot include an uppercase letter in their PIN. Enabled: Users must include at least one uppercase letter in their PIN. Disabled: Users cannot include an uppercase letter in their PIN. Use Phone Sign-in Not configured: Phone sign-in is disabled. Enabled: Users can use a portable, registered device as a companion device for desktop authentication. Disabled: Phone sign-in is disabled. True: Windows Hello for Business will be provisioned for all users on the device. False: Users will not be able to provision Windows Hello for Business. True: Windows Hello for Business will only be provisioned using TPM. False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. UseBiometrics True: Biometrics can be used as a gesture in place of a PIN for domain sign-in. False: Only a PIN can be used as a gesture for domain sign-in. FacialFeaturesUser EnhancedAntiSpoofing Not configured: users can choose whether to turn on enhanced anti-spoofing. True: Enhanced anti-spoofing is required on devices which support it. False: Users cannot turn on enhanced anti-spoofing. 1: Numbers are not allowed. 2: At least one number is required. 1: Lowercase letters are not allowed. 2: At least one lowercase letter is required. Maximum length that can be set is 127. Maximum length cannot be less than minimum setting. Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting. Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire.
- Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.
- 1: Special characters are not allowed. 2: At least one special character is required. 1: Uppercase letters are not allowed. 2: At least one uppercase letter is required UseRemotePassport True: Phone sign-in is enabled. False: Phone sign-in is disabled. If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. We strongly recommend educating employees about how to limit or eliminate the need for this decryption. Note Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](https://go.microsoft.com/fwlink/p/?LinkId=626933). Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed -or- Token was not found in the Authorization header -or- Failed to read one or more objects -or- The request sent to the server was invalid. Azure AD subscription Azure AD subscription PKI infrastructure Intune Important: Notes: The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats. Symbolic name: MALWAREPROTECTION_SAMPLESUBMISSION_UPLOAD Message: The antimalware engine has uploaded a file for further analysis. Description: A file was uploaded to the Windows Defender Antimalware cloud for further analysis or processing. Symbolic name: MALWAREPROTECTION_SAMPLESUBMISSION_UPLOADED_FAILED Message: The antimalware engine has encountered an error trying to upload a suspicious file for further analysis. Description: A file could not be uploaded to the Windows Defender Antimalware cloud. User action: You can attempt to manually submit the file. [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices. [Microsoft Passport guide](microsoft-passport-guide.md) This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout. [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security. For example: If you turn **Location** off, Cortana won't be able to provide location-based reminders, such as reminding you to visit the mail room when you get to work. If you turn **Speech** off, your employees won't be able to use “Hello Cortana” for hands free usage or voice commands to easily ask for help. |
+|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md) If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft System Center Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.|
+
+## Signing in using Azure AD
+Your organization must have an Azure AD tenant and your employees’ devices must all be Azure AD-joined for Cortana to work properly. For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [What is an Azure AD directory?](https://msdn.microsoft.com/library/azure/jj573650.aspx)
+
+## Cortana and privacy
+We understand that there are some questions about Cortana and your organization’s privacy, including concerns about what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services. For more details about these concerns, see the [Cortana, Search, and privacy: FAQ](http://windows.microsoft.com/windows-10/cortana-privacy-faq) topic.
+
+Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement).
+
+## See also
+- [What is Cortana?](http://go.microsoft.com/fwlink/p/?LinkId=746818)
+
+- [Cortana and Windows](http://go.microsoft.com/fwlink/?LinkId=717384)
+
+- [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10)
+
+- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385)
diff --git a/windows/manage/cortana-at-work-policy-settings.md b/windows/manage/cortana-at-work-policy-settings.md
new file mode 100644
index 0000000000..83f10f7d3e
--- /dev/null
+++ b/windows/manage/cortana-at-work-policy-settings.md
@@ -0,0 +1,44 @@
+---
+title: Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization (Windows 10)
+description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
+**Applies to:**
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!NOTE]
+>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381).
+
+|Group policy |MDM policy |Description |
+|-------------|-----------|------------|
+|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked. **NOTE** **In Windows 10, version 1511** **In Windows 10, version 1607 and later** **In Windows 10, version 1511** **In Windows 10, version 1607 and later** Use this setting if you only want to support Azure AD in your organization.|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required. **NOTE** **In Windows 10 Pro edition** **In Windows 10 Enterprise edition** **IMPORTANT** If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana.
+
+## Create a custom Answer Page for Cortana
+You must create special reports, known as _Answer Pages_, to display the most commonly asked answers in Cortana. For example, if you want Cortana to quickly show sales data to your employees, you can create a 2016 sales data Answer Page that shows sales data, with various pivots, in Cortana.
+
+After you’ve finished creating your Answer Page, you can continue to the included testing scenarios.
+
+ >[!NOTE]
+ >It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.
+
+**To create a custom sales data Answer Page for Cortana**
+1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**.
+
+ 
+
+2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**.
+
+ A blank report page appears.
+
+3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list.
+
+ 
+
+4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**.
+
+ 
+
+ The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders.
+
+5. In the **Visualizations** pane, click the paint roller icon again, expand **Page Information**, type _Sales data 2016_ into the **Name** box, turn on **Q&A**, and then add alternate report names (separated by commas) into the text box.
+
+ The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns.
+
+ 
+
+6. Click **File**, click **Save as**, and save the report as _Sales data 2016_.
+
+ Because this is part of the Retail Analysis Sample, it will automatically be included as part of the dataset you included for Cortana. However, you will still need to log in and out of Windows 10, or otherwise restart Cortana, before the new content appears.
+
+## Test Scenario: Use Cortana to show info from Power BI in your organization
+Now that you’ve set up your device, you can use Cortana to show your info from within Power BI.
+
+**To use Cortana with Power BI**
+1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+2. Type _This year in sales_.
+
+ Cortana shows you the available results.
+
+ 
+
+3. In the **Power BI** area, click **This year in sales – in Retail Analysis Sample**.
+
+ Cortana returns your custom report.
+
+ 
+
+>[!NOTE]
+>For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
diff --git a/windows/manage/cortana-at-work-scenario-1.md b/windows/manage/cortana-at-work-scenario-1.md
new file mode 100644
index 0000000000..4a9714a455
--- /dev/null
+++ b/windows/manage/cortana-at-work-scenario-1.md
@@ -0,0 +1,58 @@
+---
+title: Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook (Windows 10)
+description: A test scenario walking you through signing in and managing the notebook.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This scenario turns on Azure AD and let's your employee use Cortana to manage an entry in the notebook.
+
+## Turn on Azure AD
+This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account.
+
+1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, and then click **About Me**.
+
+2. Click your email address.
+
+ A dialog box appears, showing the associated account info.
+
+3. Click your email address again, and then click **Sign out**.
+
+ This signs out the Microsoft account, letting you continue to add and use the Azure AD account.
+
+4. Click the **Search** box and then the **Notebook** icon in the left rail. This will start the sign-in request.
+
+5. Click **Sign-In** and follow the instructions.
+
+6. When you’re asked to sign in, you’ll need to choose an Azure AD account, which will look like kelliecarlson@contoso.com.
+
+ >[!IMPORTANT]
+ >If there’s no Azure AD account listed, you’ll need to go to **Windows Settings > Accounts > Email & app accounts**, and then click **Add a work or school account** to add it.
+
+## Use Cortana to manage the notebook content
+This process helps you to manage the content Cortana shows in your Notebook.
+
+1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, scroll down and click **Weather**.
+
+2. In the **Weather** settings, scroll down to the **Cities your tracking** area, and then click **Add a city**.
+
+3. Add *Redmond, Washington*, double-click the search result, click **Add**, and then click **Save**.
+
+ 
+
+4. Click on the **Home** icon and scroll to the weather forecast for Redmond, Washington.
+
+ 
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-scenario-2.md b/windows/manage/cortana-at-work-scenario-2.md
new file mode 100644
index 0000000000..fb7b00d578
--- /dev/null
+++ b/windows/manage/cortana-at-work-scenario-2.md
@@ -0,0 +1,41 @@
+---
+title: Test scenario 2 - Perform a quick search with Cortana at work (Windows 10)
+description: A test scenario about how to perform a quick search with Cortana at work.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Test scenario 2 - Perform a quick search with Cortana at work
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This scenario helps you perform a quick search using Cortana, both by typing and through voice commands.
+
+## Search using Cortana
+This process helps you use Cortana at work to perform a quick search.
+
+1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+2. Type *Weather in New York*.
+
+ You should see the weather in New York, New York at the top of the search results.
+
+ 
+
+## Search with Cortana, by using voice commands
+This process helps you to use Cortana at work and voice commands to perform a quick search.
+
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
+
+2. Say *What's the weather in Chicago?* Cortana tells you and shows you the current weather in Chicago.
+
+ 
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-scenario-3.md b/windows/manage/cortana-at-work-scenario-3.md
new file mode 100644
index 0000000000..89610c7093
--- /dev/null
+++ b/windows/manage/cortana-at-work-scenario-3.md
@@ -0,0 +1,86 @@
+---
+title: Test scenario 3 - Set a reminder for a specific location using Cortana at work (Windows 10)
+description: A test scenario about how to set a location-based reminder using Cortana at work.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Test scenario 3 - Set a reminder for a specific location using Cortana at work
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house.
+
+>[!NOTE]
+>You can set each reminder location individually as you create the reminders, or you can go into the **About me** screen and add both **Work** and **Home** addresses as favorites. Make sure that you use real addresses since you’ll need to go to these locations to complete your testing scenario. Additionally, if you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page.
+
+## Create a reminder for a specific location
+This process helps you to create a reminder based on a specific location.
+
+1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
+
+2. Click the **+** sign, add a subject for your reminder, such as _Remember to file expense report receipts_, and then click **Place**.
+
+ 
+
+3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder.
+
+ 
+
+4. Click **Done**.
+
+ >[!NOTE]
+ >If you’ve never used this location before, you’ll be asked to add a name for it so it can be added to the **Favorites list** in Windows Maps.
+
+5. Choose to be reminded the **Next time you arrive at the location** or on a specific day of the week from the drop-down box.
+
+6. Take a picture of your receipts and store them locally on your device.
+
+7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**.
+
+ The photo is stored with the reminder.
+
+ 
+
+8. Review the reminder info, and then click **Remind**.
+
+ The reminder is saved and ready to be triggered.
+
+ 
+
+## Create a reminder for a specific location by using voice commands
+This process helps you to use Cortana at work and voice commands to create a reminder for a specific location.
+
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
+
+2. Say _Remind me to grab my expense report receipts before I leave home_.
+
+ Cortana opens a new reminder task and asks if it sounds good.
+
+ 
+
+3. Say _Yes_ so Cortana can save the reminder.
+
+ 
+
+## Edit or archive an existing reminder
+This process helps you to edit or archive and existing or completed reminder.
+
+1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
+
+ 
+
+2. Click the pending reminder you want to edit.
+
+ 
+
+3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click **Save** to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**.
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-scenario-4.md b/windows/manage/cortana-at-work-scenario-4.md
new file mode 100644
index 0000000000..56f1f6af66
--- /dev/null
+++ b/windows/manage/cortana-at-work-scenario-4.md
@@ -0,0 +1,51 @@
+---
+title: Test scenario 4 - Use Cortana at work to find your upcoming meetings (Windows 10)
+description: A test scenario about how to use Cortana at work to find your upcoming meetings.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Test scenario 4 - Use Cortana at work to find your upcoming meetings
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally.
+
+>[!NOTE]
+>If you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page.
+
+## Find out about upcoming meetings
+This process helps you find your upcoming meetings.
+
+1. Check to make sure your work calendar is connected and synchronized with your Azure AD account.
+
+2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+3. Type _Show me my meetings for tomorrow_.
+
+ You’ll see all your meetings scheduled for the next day.
+
+ 
+
+## Find out about upcoming meetings by using voice commands
+This process helps you to use Cortana at work and voice commands to find your upcoming meetings.
+
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box.
+
+2. Say _Show me what meeting I have at 3pm tomorrow_.
+
+ >[!IMPORTANT]
+ >Make sure that you have a meeting scheduled for the time you specify here.
+
+ 
+
+
diff --git a/windows/manage/cortana-at-work-scenario-5.md b/windows/manage/cortana-at-work-scenario-5.md
new file mode 100644
index 0000000000..8373a4f4c2
--- /dev/null
+++ b/windows/manage/cortana-at-work-scenario-5.md
@@ -0,0 +1,57 @@
+---
+title: Test scenario 5 - Use Cortana to send email to a co-worker (Windows 10)
+description: A test scenario about how to use Cortana at work to send email to a co-worker.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Test scenario 5 - Use Cortana to send email to a co-worker
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally.
+
+## Send an email to a co-worker
+This process helps you to send a quick message to a co-worker from the work address book.
+
+1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account.
+
+2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+3. Type _Send an email to <contact_name>_.
+
+ Where _<contact_name>_ is the name of someone in your work address book.
+
+4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**.
+
+ 
+
+## Send an email to a co-worker by using voice commands
+This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book.
+
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box.
+
+2. Say _Send an email to <contact_name>_.
+
+ Where _<contact_name>_ is the name of someone in your work address book.
+
+3. Add your email message by saying, _Hello this is a test email using Cortana at work._
+
+ The message is added and you’re asked if you want to **Send it**, **Add more**, or **Make changes**.
+
+ 
+
+4. Say _Send it_.
+
+ The email is sent.
+
+ 
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-scenario-6.md b/windows/manage/cortana-at-work-scenario-6.md
new file mode 100644
index 0000000000..ac15463824
--- /dev/null
+++ b/windows/manage/cortana-at-work-scenario-6.md
@@ -0,0 +1,37 @@
+---
+title: Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10)
+description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This optional scenario helps you to protect your organization’s data on a device, based on an inspection by Cortana.
+
+## Use Cortana and WIP to protect your organization’s data
+
+1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md).
+
+2. Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_.
+
+3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+ Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
+
+4. Create a new email from a protected mailbox, including the same text as above, _I’ll send you that presentation tomorrow_.
+
+5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+ Because it was in an WIP-protected email, the presentation info isn’t pulled out and it isn’t shown to you.
diff --git a/windows/manage/cortana-at-work-testing-scenarios.md b/windows/manage/cortana-at-work-testing-scenarios.md
new file mode 100644
index 0000000000..41f734e006
--- /dev/null
+++ b/windows/manage/cortana-at-work-testing-scenarios.md
@@ -0,0 +1,32 @@
+---
+title: Testing scenarios using Cortana in your business or organization (Windows 10)
+description: A list of suggested testing scenarios that you can use to test Cortana in your organization.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Testing scenarios using Cortana in your business or organization
+**Applies to:**
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
+
+- Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana.
+
+- Set a reminder and have it remind you when you’ve reached a specific location.
+
+- Search for your upcoming meetings on your work calendar.
+
+- Send an email to a co-worker from your work email app.
+
+- Use WIP to secure content on a device and then try to manage your organization’s entries in the notebook.
+
+>[!IMPORTANT]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-voice-commands.md b/windows/manage/cortana-at-work-voice-commands.md
new file mode 100644
index 0000000000..2e2743fa61
--- /dev/null
+++ b/windows/manage/cortana-at-work-voice-commands.md
@@ -0,0 +1,64 @@
+---
+title: Set up and test custom voice commands in Cortana for your organization (Windows 10)
+description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Set up and test custom voice commands in Cortana for your organization
+**Applies to:**
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions.
+
+>[!NOTE]
+>For more info about how your developer can extend your current apps to work directly with Cortana, see [The Cortana Skills Kit](https://docs.microsoft.com/cortana/getstarted).
+
+## High-level process
+Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent.
+
+To enable voice commands in Cortana
+
+1. **Extend your LOB app.** Add a custom VCD file to your app package. This file defines what capabilities are available to Cortana from the app, letting you tell Cortana what vocal commands should be understood and handled by your app and how the app should start when the command is vocalized.
+
+ Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background.
+
+ - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana).
+
+ - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana).
+
+2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
+
+## Test Scenario: Use voice commands in a Windows Store app
+While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization.
+
+**To get a Windows Store app**
+1. Go to the Windows Store, scroll down to the **Collections** area, click **Show All**, and then click **Better with Cortana**.
+
+2. Click **Uber**, and then click **Install**.
+
+3. Open Uber, create an account or sign in, and then close the app.
+
+**To set up the app with Cortana**
+1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon.
+
+2. Click on **Connected Services**, click **Uber**, and then click **Connect**.
+
+ 
+
+**To use the voice-enabled commands with Cortana**
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
+
+2. Say _Uber get me a taxi_.
+
+ Cortana changes, letting you provide your trip details for Uber.
+
+## See also
+- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385)
\ No newline at end of file
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
index cf6a6dab79..2ccace55f5 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -15,17 +15,18 @@ localizationpriority: medium
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 10 Mobile
**Looking for consumer information?**
- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
-In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
> **Note:** Customized taskbar configuration cannot be applied using MDM at this time.
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile.
**Warning**
When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 8ec42b3218..7cc8395f8b 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -15,18 +15,19 @@ localizationpriority: medium
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 10 Mobile
**Looking for consumer information?**
- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
-In Windows 10 Enterprise and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
>[!IMPORTANT]
>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile.
## How Start layout control works
@@ -48,14 +49,12 @@ Three features enable Start and taskbar layout control:
Use the [Imaging and Configuration Designer (ICD) tool](https://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start and taskbar layout. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
-> **Important**
-When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+>[!IMPORTANT]
+>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
1. Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **Advanced provisioning**.
-
-
3. Name your project, and click **Next**.
4. Choose **All Windows desktop editions** and click **Next**.
diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md
index 74afc0928b..b0a6b60bc0 100644
--- a/windows/manage/distribute-offline-apps.md
+++ b/windows/manage/distribute-offline-apps.md
@@ -33,50 +33,49 @@ Offline-licensed apps offer an alternative to online apps, and provide additiona
## Distribution options for offline-licensed apps
+You can't distribute offline-licensed apps directly from the Store for Business. Once you download the items for the offline-licensed app, you have options for distributing the apps:
-You can't distribute offline-licensed apps directly from the Store for Business. Once you download the items for the offline-licensed app, you have three options for distributing the apps:
+- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
-- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft WindowsWindows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
+- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://technet.microsoft.com/itpro/windows/deploy/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages).
-- **Windows ICD**. ICD is GUI tool that you can use to create Windows provisioning answer files, and add third-party drivers, apps, or other assets to an answer file. For more information, see [Windows Imaging and Configuration Designer](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx).
+- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
+ - [Manage apps from Windows Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+ - [Manage apps from Windows Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune) [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. [Manage corporate devices](manage-corporate-devices.md) You can use the same management tools to manage all device types running Windows 10: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions. [Windows Store for Business](windows-store-for-business.md) Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. [Windows Libraries](windows-libraries.md) Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music). [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). **Note** **In Windows 10, version 1511** **In Windows 10, version 1607 and later** **In Windows 10, version 1511** **In Windows 10, version 1607 and later** **Note** **In Windows 10 Pro edition** **In Windows 10 Enterprise edition** **Important**
+
+- Using Microsoft Mobile Device Management (MDM)
`
If you use this option, you must also choose whether to:
`
Sites are put on the auto-allowed list based on how frequently employees load and run the content.
If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
This setting only applies when you're using the “Configure Start pages" setting.
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
`https://fabrikam.com/opensearch.xml`
If you'd like your employees to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING.
+> [!NOTE]
> The **Supports** column uses these options:
-
-- **Desktop.** Supports Windows 10 Pro and Windows 10 Enterprise computers that are enrolled with Intune only.
-
-- **Mobile.** Supports Windows 10 Mobile devices only.
-
-- **Both.** Supports both desktop and mobile devices.
+> - **Desktop.** Supports Windows 10 Pro and Windows 10 Enterprise computers that are enrolled with Intune only.
+> - **Mobile.** Supports Windows 10 Mobile devices only.
+> - **Both.** Supports both desktop and mobile devices.
All devices must be enrolled with Intune if you want to use the Windows Custom URI Policy.
-| Policy name |Supported versions |Supported device |Details |
+|Policy name|Supported versions|Supported device|Details|
|-------------|-------------------|-----------------|--------|
-|AllowAutofill|Windows 10 or later |Desktop |
-|AllowBrowser |Windows 10 or later |Mobile |
|
-|AllowCookies |Windows 10 or later |Both |
|
-|AllowDeveloperTools |Windows 10, Version 1511 or later |Desktop |
|
-|AllowDoNotTrack |Windows 10 or later |Both |
|
-|AllowExtensions |Windows 10, Version 1607 and later |Desktop |
|
-|AllowInPrivate |Windows 10, Version 1511 or later |Both |
|
-|AllowPasswordManager |Windows 10 or later |Both |
|
-|AllowPopups |Windows 10 or later |Desktop |
|
-|AllowSearchSuggestions
inAddressBar |Windows 10 or later |Both |
|
-|AllowSmartScreen |Windows 10 or later |Both |
|
-|EnterpriseModeSiteList |Windows 10 or later |Desktop |
|
-|Favorites |Windows 10, Version 1511 or later |Both |
If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
|
-|FirstRunURL |Windows 10, Version 1511 or later |Mobile |
`
`
URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11.
|
-|HomePages |Windows 10, Version 1511 or later |Desktop |
`
|
-|PreventAccessToAbout
`
FlagsInMicrosoftEdge |Windows 10, Version 1607 and later |Desktop |
|
-|PreventSmartScreen
PromptOverride |Windows 10, Version 1511 or later |Both |
|
-|PreventSmartScreen
PromptOverrideFor
Files |Windows 10, Version 1511 or later |Both |
|
-|PreventUsingLocalHost
IPAddressForWebRTC |Windows 10, Version 1511 or later |Desktop |
|
-|SendIntranetTraffic
toInternetExplorer |Windows 10 or later |Desktop |
|
-|ShowMessageWhen
OpeningInteretExplorer
Sites |Windows 10, Version 1607 and later |Desktop |
|
+|AllowAddressBarDropdown|Windows 10, Windows Insider Program|Desktop|
|
+|AllowAutofill|Windows 10 or later|Desktop|
|
+|AllowBrowser|Windows 10 or later|Mobile|
|
+|AllowCookies|Windows 10 or later|Both|
|
+|AllowDeveloperTools|Windows 10, Version 1511 or later|Desktop|
|
+|AllowDoNotTrack|Windows 10 or later|Both|
|
+|AllowExtensions|Windows 10, Version 1607 and later|Desktop|
|
+|AllowFlash|Windows 10 or later|Desktop|
|
+|AllowFlashClickToRun|Windows 10, Windows Insider Program|Desktop|
|
+|AllowInPrivate|Windows 10, Version 1511 or later|Both|
|
+|AllowMicrosoftCompatibilityList|Windows 10, Windows Insider Program|Both|
|
+|AllowPasswordManager|Windows 10 or later|Both|
|
+|AllowPopups|Windows 10 or later|Desktop|
|
+|AllowSearchEngineCustomization|Windows 10, Windows Insider Program|Both|
|
+|AllowSearchSuggestions
inAddressBar|Windows 10 or later|Both|
|
+|AllowSmartScreen|Windows 10 or later|Both|
|
+|ClearBrowsingDataOnExit|Windows 10, Windows Insider Program|Both|
|
+|ConfigureAdditionalSearchEngines|Windows 10, Windows Insider Program|Both|
|
+|DisableLockdownOfStartPages|Windows 10, Windows Insider Program|Desktop|
|
+|EnterpriseModeSiteList|Windows 10 or later|Desktop|
|
+|Favorites|Windows 10, Version 1511 or later|Both|
If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
|
+|FirstRunURL|Windows 10, Version 1511 or later|Mobile|
`
`
URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11.
|
+|HomePages|Windows 10, Version 1511 or later|Desktop|
`
|
+|PreventAccessToAbout
`
FlagsInMicrosoftEdge|Windows 10, Version 1607 and later|Desktop|
|
+|PreventFirstRunPage|Windows 10, Windows Insider Program|Both|
|
+|PreventLiveTileDataCollection|Windows 10, Windows Insider Program|Both|
|
+|PreventSmartScreenPromptOverride|Windows 10, Version 1511 or later|Both|
|
+|PreventSmartScreenPromptOverrideForFiles|Windows 10, Version 1511 or later|Both|
|
+|PreventUsingLocalHost
IPAddressForWebRTC|Windows 10, Version 1511 or later|Desktop|
|
+|SendIntranetTraffic
toInternetExplorer|Windows 10 or later|Desktop|
|
+|SetDefaultSearchEngine|Windows 10, Windows Insider Program|Both|
|
+|ShowMessageWhen
OpeningInteretExplorer
Sites|Windows 10, Version 1607 and later|Desktop|
|
+|SyncFavoritesBetweenIEAndMicrosoftEdge|Windows 10, Windows Insider Program|Desktop|
|
+
## Microsoft Edge and Windows 10-specific Group Policy settings
These are additional Windows 10-specific Group Policy settings that work with Microsoft Edge.
-|Group Policy setting |Description |Options |
-| --------------------|--------------|---------|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Whether employees can use Cortana. |**Enabled or not configured:** Employees can use Cortana on their devices.
|
-|AllowSyncMySettings |Desktop |
|
+|MDM Policy name|Supports|Details|
+|----------------|--------------|-------------------|
+|AllowCortana|Both|
|
+|AllowSyncMySettings|Desktop|
|
## Related topics
* [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514)
-* [Mobile Data Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)
-
-
-
-
-
-
-
-
+* [Mobile Data Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)
\ No newline at end of file
diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md
index f188b5e0ee..4058411223 100644
--- a/browsers/edge/change-history-for-microsoft-edge.md
+++ b/browsers/edge/change-history-for-microsoft-edge.md
@@ -12,6 +12,11 @@ This topic lists new and updated topics in the Microsoft Edge documentation for
For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/).
+## February 2017
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Available Group Policy and Mobile Data Management (MDM) settings policies for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. |
+
## November 2016
|New or changed topic | Description |
|----------------------|-------------|
diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
index 4cabfa693f..fefb61f858 100644
--- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
+++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
@@ -29,7 +29,7 @@ If you're having trouble deciding whether Microsoft Edge is good for your organi
[Click to enlarge](img-microsoft-edge-infographic-lg.md)
-[Click to download image](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
+[Click to download image](https://www.microsoft.com/download/details.aspx?id=53892)
### Microsoft Edge
Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
@@ -50,10 +50,10 @@ IE11 offers enterprises additional security, manageability, performance, backwar
- **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
## Related topics
-- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
-- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
-- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
+- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=53892)
+- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx)
+- [Download Internet Explorer 11](http://windows.microsoft.com/internet-explorer/download-ie)
- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
-- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index)
-- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
\ No newline at end of file
+- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/itpro/internet-explorer/ie11-ieak/index)
+- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
index b17d3b59ae..93d825a26b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
@@ -17,7 +17,7 @@ If you’re having problems launching your legacy apps while running Internet Ex
1. **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
-2. **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
+2. **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
index 5178b33d1f..a4a2db0dae 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
@@ -41,8 +41,8 @@ In IE, press **ALT+V** to show the **View** menu, press **T** to enter the **Too
## Where did the search box go?
IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider.
-**Note**
-Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
+>[!NOTE]
+>Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index a1e744e8fe..1c6e2264ab 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -1,8 +1,9 @@
# [Microsoft HoloLens](index.md)
## [HoloLens in the enterprise: requirements](hololens-requirements.md)
## [Set up HoloLens](hololens-setup.md)
-## [Unlock Windows Holographic Enterprise features](hololens-upgrade-enterprise.md)
+## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)
## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
## [Set up HoloLens in kiosk mode](hololens-kiosk.md)
## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
-## [Install apps on HoloLens](hololens-install-apps.md)
\ No newline at end of file
+## [Install apps on HoloLens](hololens-install-apps.md)
+## [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
\ No newline at end of file
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
new file mode 100644
index 0000000000..fb1d9fe158
--- /dev/null
+++ b/devices/hololens/change-history-hololens.md
@@ -0,0 +1,21 @@
+---
+title: Change history for Microsoft HoloLens documentation
+description: This topic lists new and updated topics for HoloLens.
+keywords: change history
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Change history for Microsoft HoloLens documentation
+
+This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
+
+## January 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| All topics | Changed all references from **Windows Holographic Enterprise** to **Windows Holographic for Business** |
\ No newline at end of file
diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md
index 24912f3416..87a2cfa705 100644
--- a/devices/hololens/hololens-enroll-mdm.md
+++ b/devices/hololens/hololens-enroll-mdm.md
@@ -6,14 +6,15 @@ ms.mktglfcycl: manage
ms.pagetype: hololens, devices
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Enroll HoloLens in MDM
-You can manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
+You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft InTune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
>[!NOTE]
->Mobile device management (MDM) for Development Edition HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic Enterprise](hololens-upgrade-enterprise.md).
+>Mobile device management (MDM) for the Development edition of HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
## Requirements
diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md
index e5298640a5..ddd3a6d6b5 100644
--- a/devices/hololens/hololens-install-apps.md
+++ b/devices/hololens/hololens-install-apps.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.pagetype: hololens, devices
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Install apps on HoloLens
@@ -15,7 +16,7 @@ The recommended way to install Universal Windows Platform (UWP) apps on HoloLens
You can also deploy apps using your mobile device management (MDM) provider or use the Windows Device Portal to install apps, if you enable **Developer Mode** on the HoloLens device.
>[!IMPORTANT]
- >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device.** Developer Mode** on a device that has been upgraded to Windows Holographic Enterprise enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
+ >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device.**Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
## Use Windows Store for Business to deploy apps to HoloLens
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index df5b610c5a..54d65e5489 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.pagetype: hololens, devices
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Set up HoloLens in kiosk mode
@@ -17,7 +18,7 @@ Kiosk mode limits the user's ability to launch new apps or change the running ap
1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/holographic/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
>[!IMPORTANT]
- >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic Enterprise enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
+ >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_usb).
@@ -31,7 +32,7 @@ Kiosk mode limits the user's ability to launch new apps or change the running ap
>[!NOTE]
- >The kiosk mode option will be available if the device is [enrolled in device management](hololens-enroll-mdm.md) and has an [Enterprise license](hololens-upgrade-enterprise.md).
+ >The kiosk mode option will be available if the device is [enrolled in device management](hololens-enroll-mdm.md) and has a [license to upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
5. Select **Enable Kiosk Mode**, choose an app to run when the device starts, and click **Save**.
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index 94024a8e86..c341d5ffb2 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.pagetype: hololens, devices
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Configure HoloLens using a provisioning package
@@ -13,7 +14,7 @@ author: jdeckerMS
Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages.
Some of the HoloLens configurations that you can apply in a provisioning package:
-- Upgrade to Windows Holographic Enterprise
+- Upgrade to Windows Holographic for Business
- Set up a local account
- Set up a Wi-Fi connection
- Apply certificatess to the device
@@ -31,7 +32,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
## Create a provisioning package for HoloLens
>[!NOTE]
->Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic Enterprise or if [the device has already been upgraded to Windows Holographic Enterprise](hololens-upgrade-enterprise.md).
+>Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md).
1. On the Windows ICD start page, select **Advanced provisioning**.
@@ -100,7 +101,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
-In Windows ICD, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.co/library/windows/hardware/dn920025.aspx#HoloLens). The following table describes settings that you might want to configure for HoloLens.
+In Windows ICD, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens). The following table describes settings that you might want to configure for HoloLens.
@@ -109,7 +110,7 @@ In Windows ICD, when you create a provisioning package for Windows Holographic,
| **Accounts** | Create a local account. HoloLens currently supports a single user only. Creating multiple local accounts in a provisioning package is not supported.
**IMPORTANT**
If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/holographic/reset_or_recover_your_hololens#perform_a_full_device_recovery). |
| **Certificates** | Deploy a certificate to HoloLens. |
| **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens. |
-| **EditionUpgrade** | [Upgrade to Windows Holographic Enterprise.](hololens-upgrade-enterprise.md) |
+| **EditionUpgrade** | [Upgrade to Windows Holographic for Business.](hololens-upgrade-enterprise.md) |
| **Policies** | Allow or prevent developer mode on HoloLens. |
>[!NOTE]
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index 959a0c2402..d8a1c1b901 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.pagetype: hololens, devices
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Microsoft HoloLens in the enterprise: requirements
@@ -35,7 +36,7 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
- Wi-Fi network
- Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs
-## Upgrade to Windows Holographic Enterprise
+## Upgrade to Windows Holographic for Business
- HoloLens Enterprise license XML file
@@ -44,11 +45,11 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
## Related resources
-[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/)
+[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/documentation/articles/active-directory-get-started-premium/)
-[Get started with Intune](https://docs.microsoft.com/en-us/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
+[Get started with Intune](https://docs.microsoft.com/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
-[Enroll devices for management in Intune](https://docs.microsoft.com/en-us/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
+[Enroll devices for management in Intune](https://docs.microsoft.com/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
-[Azure AD editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/)
+[Azure AD editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/)
diff --git a/devices/hololens/hololens-setup.md b/devices/hololens/hololens-setup.md
index 134a4bd36d..711052c786 100644
--- a/devices/hololens/hololens-setup.md
+++ b/devices/hololens/hololens-setup.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.pagetype: hololens, devices
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Set up HoloLens
diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md
index c931421935..bcc472ca43 100644
--- a/devices/hololens/hololens-upgrade-enterprise.md
+++ b/devices/hololens/hololens-upgrade-enterprise.md
@@ -1,21 +1,22 @@
---
-title: Unlock Windows Holographic Enterprise features (HoloLens)
-description: HoloLens provides extra features designed for business when you upgrade to Windows Holographic Enterprise.
+title: Unlock Windows Holographic for Business features (HoloLens)
+description: HoloLens provides extra features designed for business when you upgrade to Windows Holographic for Business.
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: hololens, devices
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
-# Unlock Windows Holographic Enterprise features
+# Unlock Windows Holographic for Business features
Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/holographic/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business.
-When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic Enterprise. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
+When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
>[!TIP]
->You can tell that the HoloLens has been upgraded to the Enterprise edition in **Settings** > **Network & Internet**. The **VPN** option is only available in Windows Holographic Enterprise.
+>You can tell that the HoloLens has been upgraded to the business edition in **Settings** > **Network & Internet**. The **VPN** option is only available in Windows Holographic for Business.
diff --git a/devices/hololens/images/upgrade-flow.png b/devices/hololens/images/upgrade-flow.png
deleted file mode 100644
index 127c3358f4..0000000000
Binary files a/devices/hololens/images/upgrade-flow.png and /dev/null differ
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index d279a9a072..b57a42f178 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -6,13 +6,14 @@ ms.mktglfcycl: manage
ms.pagetype: hololens, devices
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Microsoft HoloLens
-
## In this section
@@ -21,7 +22,7 @@ author: jdeckerMS
| --- | --- |
| [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
| [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time |
-| [Unlock Windows Holographic Enterprise features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic Enterprise|
+| [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic for Business|
| [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune |
| [Set up HoloLens in kiosk mode](hololens-kiosk.md) | Enable kiosk mode for HoloLens, which limits the user's ability to launch new apps or change the running app |
| [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging |
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index 47279ae319..a9cde81f15 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -5,7 +5,8 @@
#### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
#### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
##### [Online deployment](online-deployment-surface-hub-device-accounts.md)
-##### [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md)
+##### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md)
+##### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md)
##### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)
##### [Create a device account using UI](create-a-device-account-using-office-365.md)
##### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)
@@ -35,5 +36,7 @@
#### [Using a room control system](use-room-control-system-with-surface-hub.md)
### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)
+## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md)
## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
+## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
## [Change history for Surface Hub](change-history-surface-hub.md)
\ No newline at end of file
diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md
index 5aa1cfc951..46348c087d 100644
--- a/devices/surface-hub/accessibility-surface-hub.md
+++ b/devices/surface-hub/accessibility-surface-hub.md
@@ -30,7 +30,7 @@ The full list of accessibility settings are available to IT admins in the **Sett
| Mouse | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. |
| Other options | Defaults selected for **Visual options** and **Touch feedback**. |
-Additionally, these accessibility features and apps are returned to default settings when users press [**I'm Done**](i-am-done-finishing-your-surface-hub-meeting.md):
+Additionally, these accessibility features and apps are returned to default settings when users press [I'm Done](i-am-done-finishing-your-surface-hub-meeting.md):
- Narrator
- Magnifier
- High contrast
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index f85267c41d..74ee57c2f5 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -14,11 +14,20 @@ localizationpriority: medium
This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
+## February 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | New |
+
## January 2017
| New or changed topic | Description |
| --- | --- |
+| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | New |
+| [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | New |
| [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added graphics cards verified to work with 84" Surface Hubs and added information about the lengths of cables. |
+| [Online deployment](online-deployment-surface-hub-device-accounts.md) | Updated procedures for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. |
## December 2016
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index ec7e16757b..9930a748e3 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -46,7 +46,8 @@ For detailed steps using PowerShell to provision a device account, choose an opt
| Organization deployment | Description |
|---------------------------------|--------------------------------------|
| [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md) | Your organization's environment is deployed entirely on Office 365. |
-| [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync). |
+| [On-premises deployment (single-forest)](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a single-forest environment. |
+| [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a multi-forest environment. |
| [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. |
If you prefer to use a graphical user interface, some steps can be done using UI instead of PowerShell.
diff --git a/devices/surface-hub/device-reset-suface-hub.md b/devices/surface-hub/device-reset-suface-hub.md
deleted file mode 100644
index f91cbdd7b9..0000000000
--- a/devices/surface-hub/device-reset-suface-hub.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-title: Device reset (Surface Hub)
-description: You may wish to reset your Microsoft Surface Hub.
-ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF
-redirect_url: https://technet.microsoft.com/itpro/surface-hub/device-reset-surface-hub
-keywords: reset Surface Hub
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: surfacehub
-author: TrudyHa
----
-
-
-
-
-
-
-
-
-
-
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index dc24991701..f2cb38c5f2 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -31,9 +31,11 @@ Initiating a reset will return the device to the last cumulative Windows update,
- Configurations from MDM or the Settings app
> [!IMPORTANT]
-> Performing a device reset may take up to 2 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
+> Performing a device reset may take up to 6 hours. Do not turn off or unplug the Surface Hub until the process has completed. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
-After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again.
+After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again. If the Surface Hub displays a Welcome screen, that indicates that the reset encountered a problem and rolled back to the previously existing OS image.
+
+If you see a blank screen for long periods of time during the **Reset device** process, please wait and do not take any action.
## Reset a Surface Hub from Settings
diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index 43cc104e63..6ee36023cc 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -60,7 +60,8 @@ If the default values shown are correct, then you can click **Next** to go on. O
### What happens?
->**Note** Once the settings on this page are entered, you can't come back to this screen unless you reset the device (see [Device reset](device-reset-suface-hub.md)). Make sure that the settings are properly configured before proceeding.
+>[!NOTE]
+> Once the settings on this page are entered, you can't come back to this screen unless you reset the device (see [Device reset](device-reset-surface-hub.md)). Make sure that the settings are properly configured before proceeding.
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index ddbbfb4fab..22e94d2746 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -6,35 +6,25 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: surfacehub
-author: TrudyHa
+author: jdeckerMS
localizationpriority: medium
---
# Microsoft Surface Hub
-Documents related to the Microsoft Surface Hub.
+Documents related to deploying and managing the Microsoft Surface Hub in your organization.
+
+>[Looking for the user's guide for Surface Hub?](https://www.microsoft.com/surface/support/surface-hub)
## In this section
+| Topic | Description |
+| --- | --- |
+| [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) | This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.|
+| [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise. |
+| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. |
+| [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. |
+| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation. |
+
- 
-
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index 2f658f6fd8..d26712627a 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -16,10 +16,9 @@ localizationpriority: medium
You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on whether you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario.
A few things to know about apps on Surface Hub:
-- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp).
+- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). See a [list of apps that work with Surface Hub](https://www.microsoft.com/surface/support/surface-hub/surface-hub-apps).
- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631).
-- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.
-- When submitting an app to the Windows Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub.
+- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.- When submitting an app to the Windows Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub.
- You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Windows Store to download and install apps.
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 40fdda11b1..d8661c166c 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -57,6 +57,7 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business
2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates).
> [!NOTE]
+
> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-wufb-intune)
@@ -104,6 +105,14 @@ You can connect Surface Hub to your Windows Server Update Services (WSUS) server
To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.
+**If you use a proxy server or other method to block URLs**
+
+If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”:
+- `http(s)://*.update.microsoft.com`
+- `http://download.windowsupdate.com`
+- `http://windowsupdate.microsoft.com`
+
+Once the Windows 10 Team Anniversary Update is installed, you can remove these addresses to return your Surface Hub to its previous state.
## Maintenance window
diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index 9f45d3d355..4b96956704 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -101,6 +101,9 @@ This table describes the sample queries in the Surface Hub solution:
For Surface Hub to connect to and register with the OMS service, it must have access to the port number of your domains and the URLs. This table list the ports that OMS needs. For more information, see [Configure proxy and firewall settings in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-proxy-firewall/).
+>[!NOTE]
+>Surface Hub does not currently support the use of a proxy server to communicate with the OMS service.
+
| Agent resource | Ports | Bypass HTTPS inspection? |
| --------------------------- | ----- | ------------------------ |
| *.ods.opinsights.azure.com | 443 | Yes |
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index a2103eec0b..8914899056 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -1,5 +1,5 @@
---
-title: On-premises deployment (Surface Hub)
+title: On-premises deployment single forest (Surface Hub)
description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
keywords: single forest deployment, on prem deployment, device account, Surface Hub
@@ -11,12 +11,12 @@ author: TrudyHa
localizationpriority: medium
---
-# On-premises deployment (Surface Hub)
+# On-premises deployment for Surface Hub in a single-forest environment
This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
-If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section.
+If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md).
1. Start a remote PowerShell session from a PC and connect to Exchange.
@@ -99,7 +99,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
8. OPTIONAL: You can also allow your Surface Hub to make and receive public switched telephone network (PSTN) phone calls by enabling Enterprise Voice for your account. Enterprise Voice isn't a requirement for Surface Hub, but if you want PSTN dialing functionality for the Surface Hub client, here's how to enable it:
```PowerShell
- CsMeetingRoom HUB01 -DomainController DC-ND-001.contoso.com
+ Set-CsMeetingRoom HUB01 -DomainController DC-ND-001.contoso.com
-LineURItel: +14255550555;ext=50555" Set-CsMeetingRoom -DomainController DC-ND-001.contoso.com
-Identity HUB01 -EnterpriseVoiceEnabled $true
```
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
new file mode 100644
index 0000000000..08688230d6
--- /dev/null
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
@@ -0,0 +1,105 @@
+---
+title: On-premises deployment multi-forest (Surface Hub)
+description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment.
+ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
+keywords: multi forest deployment, on prem deployment, device account, Surface Hub
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# On-premises deployment for Surface Hub in a multi-forest environment
+
+
+This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment.
+
+If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a single-forest deployment, see [On-premises deployment for Surface Hub in a single-forest environment](on-premises-deployment-surface-hub-device-accounts.md).
+
+1. Start a remote PowerShell session from a PC and connect to Exchange.
+
+ Be sure you have the right permissions set to run the associated cmdlets.
+
+ Note here that `$strExchangeServer` is the fully qualified domain name (FQDN) of your Exchange server, and `$strLyncFQDN` is the FQDN of your Skype for Business server.
+
+ ```PowerShell
+ Set-ExecutionPolicy Unrestricted
+ $org='contoso.microsoft.com'
+ $cred=Get-Credential $admin@$org
+ $sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $cred -AllowRedirection -Authentication Kerberos -ConnectionUri "http://$strExchangeServer/powershell" -WarningAction SilentlyContinue
+ $sessLync = New-PSSession -Credential $cred -ConnectionURI "https://$strLyncFQDN/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue
+ Import-PSSession $sessExchange
+ Import-PSSession $sessLync
+ ```
+
+2. After establishing a session, create a new mailbox in the Resource Forest. This will allow the account to authenticate into the Surface Hub.
+
+ If you're changing an existing resource mailbox:
+
+ ```PowerShell
+ New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01"
+ ```
+
+3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
+
+ Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to **False**. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
+
+ If you haven’t created a compatible policy yet, use the following cmdlet-—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
+
+ ```PowerShell
+ $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
+ ```
+
+ Once you have a compatible policy, then you will need to apply the policy to the device account.
+
+ ```PowerShell
+ Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy -ActiveSyncEnabled $true
+ Set-Mailbox $acctUpn -Type Room
+ ```
+
+4. Various Exchange properties can be set on the device account to improve the meeting experience for people. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
+
+ ```PowerShell
+ Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
+ Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
+ ```
+
+5. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information. This should be set in the User Forest.
+
+ ```PowerShell
+ Set-AdUser $acctUpn -PasswordNeverExpires $true
+ ```
+
+6. Enable the account in Active Directory so it will authenticate to the Surface Hub. This should be set in the User Forest.
+
+ ```PowerShell
+ Set-AdUser $acctUpn -Enabled $true
+ ```
+
+6. You now need to change the room mailbox to a linked mailbox:
+
+ ```PowerShell
+ $cred=Get-Credential AuthForest\LinkedRoomTest1
+ Set-mailbox -Alias LinkedRoomTest1 -LinkedMasterAccount AuthForest\LinkedRoomTest1 -LinkedDomainController AuthForest-4939.AuthForest.extest.contoso.com -Name LinkedRoomTest1 -LinkedCredential $cred -Identity LinkedRoomTest1
+ ```
+
+7. Enable the device account with Skype for Business by enabling your Surface Hub AD account on a Skype for Business Server pool:
+
+ ```PowerShell
+ Enable-CsMeetingRoom -SipAddress "sip:HUB01@contoso.com"
+ -DomainController DC-ND-001.contoso.com -RegistrarPool LYNCPool15.contoso.com
+ -Identity HUB01
+ ```
+
+ You'll need to use the Session Initiation Protocol (SIP) address and domain controller for the Surface Hub, along with your own Skype for Business Server pool identifier and user identity.
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 571a848679..8905e5b36c 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -54,13 +54,10 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
$easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
```
- Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
+ Once you have a compatible policy, then you will need to apply the policy to the device account.
```PowerShell
- Set-Mailbox 'HUB01@contoso.com' -Type Regular
Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.Id
- Set-Mailbox 'HUB01@contoso.com' -Type Room
- Set-Mailbox 'HUB01@contoso.com' -RoomMailboxPassword (ConvertTo-SecureString -String
-
-
-
-Topic
-Description
-
-
-[Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise.
-
-
-[Change history for Surface Hub](change-history-surface-hub.md) This topic lists new and updated topis in the Surface Hub documentation.
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index ee3fbbd2b8..0ce34a2dfe 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -13,6 +13,7 @@
### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
### [Surface Dock Updater](surface-dock-updater.md)
+### [Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md)
## [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md)
## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)
## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index 5c29629a05..a6195be9e0 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -11,13 +11,18 @@ author: jdeckerMS
This topic lists new and updated topics in the Surface documentation library.
+## January 2017
+
+|New or changed topic | Description |
+| --- | --- |
+|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | New |
+
## December 2016
|New or changed topic | Description |
| --- | --- |
|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)|
-
## November 2016
|New or changed topic | Description |
diff --git a/devices/surface/images/sda-fig5-erase.png b/devices/surface/images/sda-fig5-erase.png
index cf8abe7dce..8ac3e174a7 100644
Binary files a/devices/surface/images/sda-fig5-erase.png and b/devices/surface/images/sda-fig5-erase.png differ
diff --git a/devices/surface/index.md b/devices/surface/index.md
index 3bd0c700bd..7a352fb536 100644
--- a/devices/surface/index.md
+++ b/devices/surface/index.md
@@ -33,7 +33,9 @@ For more information on planning for, deploying, and managing Surface devices in
| [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. |
+## Learn more
+[Certifying Surface Pro 4 and Surface Book as standard devices at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/849/Certifying-Surface-Pro-4-and-Surface-Book-as-standard-devices-at-Microsoft)
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index ad68711a00..4a39f0775e 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -16,7 +16,7 @@ author: miladCA
Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.
-[Microsoft Surface Data Eraser](https://www.microsoft.com/download/details.aspx?id=46703) is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB tool is easy to create by using the provided wizard, the Microsoft Surface Data Eraser Wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Microsoft uses during the service process for Surface, see [Protecting your data if you send your Surface in for service](https://www.microsoft.com/surface/support/security-sign-in-and-accounts/data-wiping-policy).
+[Microsoft Surface Data Eraser](https://www.microsoft.com/download/details.aspx?id=46703) is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB stick is easy to create by using the provided wizard, the Microsoft Surface Data Eraser wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Microsoft uses during the service process for Surface, see [Protecting your data if you send your Surface in for service](https://www.microsoft.com/surface/support/security-sign-in-and-accounts/data-wiping-policy).
Compatible Surface devices include:
@@ -100,43 +100,41 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
1. Insert the bootable Microsoft Surface Data Eraser USB stick into the supported Surface device.
-2. Ensure your system firmware is set to boot to USB. To enter the firmware settings:
+2. Boot your Surface device from the Microsoft Surface Data Eraser USB stick. To boot your device from the USB stick follow these steps:
- 1. Turn off your Surface device.
+ a. Turn off your Surface device.
- 2. Press and hold the **Volume Up** button.
+ b. Press and hold the **Volume Down** button.
- 3. Press and release the **Power** button.
+ c. Press and release the **Power** button.
- 4. Release the **Volume Up** button.
+ d. Release the **Volume Down** button.
+
+ >[!NOTE]
+ >If your device does not boot to USB using these steps, you may need to turn on the **Enable Alternate Boot Sequence** option in Surface UEFI. You can read more about Surface UEFI boot configuration in [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
-3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed.
+3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 4.
*Figure 4. Booting the Microsoft Surface Data Eraser USB stick*
-4. Read the software license terms, and then close the notepad file.
+4. Read the software license terms, and then close the Notepad file.
-5. Accept or Decline the Software License Terms by typing **Accept** or **Decline**.
+5. Accept or decline the software license terms by typing **Accept** or **Decline**. You must accept the license terms to continue.
-6. Select one of the following three options:
+6. The Microsoft Surface Data Eraser script detects the storage devices that are present in your Surface device and displays the details of the native storage device. To continue, press **Y** (this action runs Microsoft Surface Data Eraser and removes all data from the storage device) or press **N** (this action shuts down the device without removing data).
- - **Enter S to start Data Erase** – Select this option to begin the data erase process. You will have a chance to confirm in the next step.
+ >[!NOTE]
+ >The Microsoft Surface Data Eraser tool will delete all data, including Windows operating system files required to boot the device, in a secure and unrecoverable way. To boot a Surface device that has been wiped with Microsoft Surface Data Eraser, you will first need to reinstall the Windows operating system. To remove data from a Surface device without removing the Windows operating system, you can use the **Reset your PC** function. However, this does not prevent your data from being recovered with forensic or data recovery capabilities. See [Recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options) for more information.
- - **Enter D to perform Diskpart** – Select this option to use diskpart.exe to manage partitions on your disk.
+ 
+
+ *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
- - **Enter X to shut device down** – Select this option to perform no action and shut down the device.
+7. If you pressed **Y** in step 6, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
-7. If you typed **S** to begin the data erase process, the partition that will be erased is displayed, as shown in Figure 5. If this is correct, press **Y** to continue, or **N** to shut down the device.
-
- 
-
- *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
-
-8. If you pressed **Y** in step 7, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
-
-9. Click the **Yes** button to continue erasing data on the Surface device.
+8. Click the **Yes** button to continue erasing data on the Surface device.
diff --git a/devices/surface/update.md b/devices/surface/update.md
index 3e00c77e71..46d1f3b6bd 100644
--- a/devices/surface/update.md
+++ b/devices/surface/update.md
@@ -16,6 +16,7 @@ Find out how to download and manage the latest firmware and driver updates for y
| Topic | Description |
| --- | --- |
+|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically. |
| [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.|
| [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.|
| [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)| Read about the different methods you can use to manage the process of Surface Dock firmware updates.|
diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
index f44e7cf414..5e81cad6ce 100644
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@@ -413,3 +413,12 @@ When you deploy SEMM using this script application and with a configuration that
Alternatively, you can configure the application installation to reboot automatically and to install invisibly to the user – in this scenario, a technician will be required to enter the thumbprint on each device as it reboots. Any technician with access to the certificate file can read the thumbprint by viewing the certificate with CertMgr. Instructions for viewing the thumbprint with CertMgr are in the [Create or modify the SEMM Configuration Manager scripts](#create-or-modify-the-semm-configuration-manager-scripts) section of this article.
Removal of SEMM from a device deployed with Configuration Manager using these scripts is as easy as uninstalling the application with Configuration Manager. This action starts the ResetSEMM.ps1 script and properly unenrolls the device with the same certificate file that was used during the deployment of SEMM.
+
+>[!NOTE]
+>Microsoft Surface recommends that you create reset packages only when you need to unenroll a device. These reset packages are typically valid for only one device, identified by its serial number. You can, however, create a universal reset package that would work for any device enrolled in SEMM with this certificate.
+
+>We strongly recommend that you protect your universal reset package as carefully as the certificate you used to enroll devices in SEMM. Please remember that – just like the certificate itself – this universal reset package can be used to unenroll any of your organization’s Surface devices from SEMM.
+
+>When you install a reset package, the Lowest Supported Value (LSV) is reset to a value of 1. You can reenroll a device by using an existing configuration package – the device will prompt for the certificate thumbprint before ownership is taken.
+
+>For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the device will prompt for the certificate thumbprint before ownership is taken.
\ No newline at end of file
diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md
new file mode 100644
index 0000000000..cee0c58856
--- /dev/null
+++ b/devices/surface/wake-on-lan-for-surface-devices.md
@@ -0,0 +1,56 @@
+---
+title: Wake On LAN for Surface devices (Surface)
+description: See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically – even if the devices are powered down.
+keywords: update, deploy, driver, wol, wake-on-lan
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: jobotto
+---
+
+# Wake On LAN for Surface devices
+
+Surface devices that run Windows 10, version 1607 (also known as Windows 10 Anniversary Update) or later and use a Surface Ethernet adapter to connect to a wired network, are capable of Wake On LAN (WOL) from Connected Standby. With WOL, you can remotely wake up devices to perform management or maintenance tasks or enable management solutions (such as System Center Configuration Manager) automatically – even if the devices are powered down. For example, you can deploy applications to Surface devices left docked with a Surface Dock or Surface Pro 3 Docking Station by using System Center Configuration Manager during a window in the middle of the night, when the office is empty.
+
+>[!NOTE]
+>Surface devices must be connected to AC power to support WOL.
+
+## Supported devices
+
+The following devices are supported for WOL:
+
+* Surface Book
+* Surface Pro 4
+* Surface Pro 3
+* Surface 3
+* Surface Ethernet adapter
+* Surface Dock
+* Surface Docking Station for Surface Pro 3
+
+## WOL driver
+
+To enable WOL support on Surface devices, a specific driver for the Surface Ethernet adapter is required. This driver is not included in the standard driver and firmware pack for Surface devices – you must download and install it separately. You can download the Surface WOL driver (SurfaceWOL.msi) from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
+
+You can run this Microsoft Windows Installer (.msi) file on a Surface device to install the Surface WOL driver, or you can distribute it to Surface devices with an application deployment solution, such as System Center Configuration Manager. To include the Surface WOL driver during deployment, you can install the .msi file as an application during the deployment process. You can also extract the Surface WOL driver files to include them in the deployment process. For example, you can include them in your Microsoft Deployment Toolkit (MDT) deployment share. You can read more about Surface deployment with MDT in [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/deploy-windows-10-to-surface-devices-with-mdt).
+
+>[!NOTE]
+>During the installation of SurfaceWOL.msi, the following registry key is set to a value of 1, which allows easy identification of systems where the WOL driver has been installed. If you chose to extract and install these drivers separately during deployment, this registry key will not be configured and must be configured manually or with a script.
+
+>**HKLM\SYSTEM\CurrentControlSet\Control\Power AllowSystemRequiredPowerRequests**
+
+To extract the contents of SurfaceWOL.msi, use the MSIExec administrative installation option (**/a**), as shown in the following example, to extract the contents to the C:\WOL\ folder:
+
+ `msiexec /a surfacewol.msi targetdir=C:\WOL /qn`
+
+## Using Surface WOL
+
+The Surface WOL driver conforms to the WOL standard, whereby the device is woken by a special network communication known as a magic packet. The magic packet consists of 6 bytes of 255 (or FF in hexadecimal) followed by 16 repetitions of the target computer’s MAC address. You can read more about the magic packet and the WOL standard on [Wikipedia](https://wikipedia.org/wiki/Wake-on-LAN#Magic_packet).
+
+>[!NOTE]
+>To send a magic packet and wake up a device by using WOL, you must know the MAC address of the target device and Ethernet adapter. Because the magic packet does not use the IP network protocol, it is not possible to use the IP address or DNS name of the device.
+
+Many management solutions, such as System Center Configuration Manager, provide built-in support for WOL. There are also many solutions, including Windows Store apps, PowerShell modules, third-party applications, and third-party management solutions that allow you to send a magic packet to wake up a device. For example, you can use the [Wake On LAN PowerShell module](https://gallery.technet.microsoft.com/scriptcenter/Wake-On-Lan-815424c4) from the TechNet Script Center.
+
+>[!NOTE]
+>After a device has been woken up with a magic packet, the device will return to sleep if an application is not actively preventing sleep on the system or if the AllowSystemRequiredPowerRequests registry key is not configured to 1, which allows applications to prevent sleep. See the [WOL driver](#wol-driver) section of this article for more information about this registry key.
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index c2c0340c07..f47b4a68e2 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -12,7 +12,6 @@
## [Take tests in Windows 10 ](take-tests-in-windows-10.md)
### [Set up Take a Test on a single PC](take-a-test-single-pc.md)
### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
-### [Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md)
### [Take a Test app technical reference](take-a-test-app-technical.md)
## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index 9fabe579b5..e83f98b49f 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -5,13 +5,18 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
-author: jdeckerMS
+author: CelesteDG
---
# Change history for Windows 10 for Education
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+## January 2017
+| New or changed topic | Description |
+| --- | --- |
+| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Learn how schools can use invoices to pay for Minecraft: Education Edition. |
+
## December 2016
| New or changed topic | Description |
| --- | --- |
diff --git a/education/windows/create-tests-using-microsoft-forms.md b/education/windows/create-tests-using-microsoft-forms.md
index 64a6208970..c2df9fb7ba 100644
--- a/education/windows/create-tests-using-microsoft-forms.md
+++ b/education/windows/create-tests-using-microsoft-forms.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: CelesteDG
+redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms
---
# Create tests using Microsoft Forms
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 8a42859576..ce335d4357 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -91,9 +91,9 @@ Find apps for your school using Windows Store for Business. Admins in an educati
**To acquire apps**
- For info on how to acquire apps, see [Acquire apps in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business#acquire-apps)
-**To add a payment method**
+**To add a payment method - debit or credit card**
-If you the app you purchase has a price, you’ll need to provide a payment method.
+If the app you purchase has a price, you’ll need to provide a payment method.
- Click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card.
For more information on payment options, see [payment options](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business#payment-options).
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 200b8a1ce9..91345b72c1 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -5,7 +5,7 @@ keywords: school
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
-author: jdeckerMS
+author: trudyha
---
# Get Minecraft: Education Edition
diff --git a/education/windows/images/mcee-add-payment-method.png b/education/windows/images/mcee-add-payment-method.png
new file mode 100644
index 0000000000..e583b4eccc
Binary files /dev/null and b/education/windows/images/mcee-add-payment-method.png differ
diff --git a/education/windows/images/mcee-invoice-bills.PNG b/education/windows/images/mcee-invoice-bills.PNG
new file mode 100644
index 0000000000..1a07ac3f01
Binary files /dev/null and b/education/windows/images/mcee-invoice-bills.PNG differ
diff --git a/education/windows/images/mcee-invoice-info.png b/education/windows/images/mcee-invoice-info.png
new file mode 100644
index 0000000000..f4bf29f8b2
Binary files /dev/null and b/education/windows/images/mcee-invoice-info.png differ
diff --git a/education/windows/images/mcee-view-bills.png b/education/windows/images/mcee-view-bills.png
new file mode 100644
index 0000000000..5aeff48109
Binary files /dev/null and b/education/windows/images/mcee-view-bills.png differ
diff --git a/education/windows/images/take_a_test_flow.png b/education/windows/images/take_a_test_flow.png
new file mode 100644
index 0000000000..261813c7f8
Binary files /dev/null and b/education/windows/images/take_a_test_flow.png differ
diff --git a/education/windows/images/take_a_test_workflow.png b/education/windows/images/take_a_test_workflow.png
new file mode 100644
index 0000000000..a4c7a84686
Binary files /dev/null and b/education/windows/images/take_a_test_workflow.png differ
diff --git a/education/windows/index.md b/education/windows/index.md
index 549abcd666..9554614c4c 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -14,42 +14,76 @@ author: CelesteDG
# Windows 10 for Education
-##  Learn
+## Windows 10
+
+###  Learn
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
Find out more about the features and functionality we support in each edition of Windows.
When you've made your decision, find out how to buy Windows for your school.
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
Find out more about the features and functionality we support in each edition of Windows.
When you've made your decision, find out how to buy Windows for your school.
Depending on your school's device management needs, Windows offers a variety of options that you can use to set up Windows 10 on your devices.
Depending on your school's device management needs, you can use **Set up School PCs** or the *Provision school devices* option in **Windows Imaging and Configuration Designer** to quickly set up student PCs.
Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
Get step-by-step guidance to help you deploy Windows 10 in a school environment.
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
Get step-by-step guidance to help you deploy Windows 10 in a school environment.
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.
For the best experience, use this guide in tandem with the TechNet Virtual Lab: IT Pro Try-It-Out.
If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.
Explore key considerations and questions that should be answered when planning for Windows 8.1 deployment.
Get an overview of Windows 8.1 deployment to PCs in an educational environment.
Explore Bring Your Own Device (BYOD) considerations, including device types, infrastructure, and deployment models.
Get step-by-step instructions on how to configure and deploy Windows RT devices (like Surface and other tablets) in educational environments.
Learn how to address challenges related to BYOD scenarios using Virtual Desktop Infrastructure (VDI).
Explore Windows Store app deployment strategies and considerations for educational institutions running Windows 8.1.
Learn about the benefits, limitations, and processes involved in deploying Windows To Go.
+
+
@@ -102,12 +103,7 @@ Before you deploy Office by using App-V, review the following requirements.
@@ -154,9 +150,7 @@ The following table describes the recommended methods for excluding specific Off
Complete the following steps to create an Office 2016 package for App-V 5.0 or later.
-**Important**
-In App-V 5.0 and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
-
+>**Important** In App-V 5.0 and later, you must use the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
### Review prerequisites for using the Office Deployment Tool
@@ -190,13 +184,12 @@ The computer on which you are installing the Office Deployment Tool must have:
-**Note**
-In this topic, the term “Office 2016 App-V package” refers to subscription licensing and volume licensing.
+>**Note** In this topic, the term “Office 2016 App-V package” refers to subscription licensing.
### Create Office 2016 App-V Packages Using Office Deployment Tool
-You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Volume Licensing or Subscription Licensing.
+You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Subscription Licensing.
Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers.
@@ -206,6 +199,7 @@ Office 2016 App-V Packages are created using the Office Deployment Tool, which g
1. Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117).
+>**Important** You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages.
2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
Example: \\\\Server\\Office2016
@@ -237,8 +231,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
```
- **Note**
- The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "" from the end of the line.
+ >**Note** The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "" from the end of the line.
The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
@@ -269,13 +262,14 @@ The XML file that is included in the Office Deployment Tool specifies the produc
-
Product ID ="O365ProPlusRetail "Product ID ="VisioProRetail"Product ID ="ProjectProRetail"Product ID ="ProPlusVolume"Product ID ="VisioProVolume"Product ID = "ProjectProVolume"
15.1.2.316.1.2.3
+
-
Product ID
-Volume Licensing
Subscription Licensing
-
<Configuration>
<Add SourcePath= "\\server\Office 2016" OfficeClientEdition="32" >
<Product ID="O365ProPlusRetail">
@@ -446,44 +432,7 @@ After you download the Office 2016 applications through the Office Deployment To
- <Configuration>
- <Add SourcePath= "\\Server\Office2016" OfficeClientEdition="32" >
- <Product ID="ProPlusVolume">
- <Language ID="en-us" />
- </Product>
- <Product ID="VisioProVolume">
- <Language ID="en-us" />
- </Product>
- </Add>
- </Configuration>
-
-
-
-
-
- ProPlusVolume.
-
-
- VisioProVolume.
@@ -531,7 +475,7 @@ After you download the Office 2016 applications through the Office Deployment To
+
2. Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
-### Managing Office 2016 licensing upgrades
-
-If a new Office 2016 App-V Package has a different license than the Office 2016 App-V Package currently deployed. For instance, the Office 2016 package deployed is a subscription based Office 2016 and the new Office 2016 package is Volume Licensing based, the following instructions must be followed to ensure smooth licensing upgrade:
-
-**How to upgrade an Office 2016 License**
-
-1. Unpublish the already deployed Office 2016 Subscription Licensing App-V package.
-
-2. Remove the unpublished Office 2016 Subscription Licensing App-V package.
-
-3. Restart the computer.
-
-4. Add the new Office 2016 App-V Package Volume Licensing.
-
-5. Publish the added Office 2016 App-V Package with Volume Licensing.
-
-An Office 2016 App-V Package with your chosen licensing will be successfully deployed.
### Deploying Visio 2016 and Project 2016 with Office
@@ -802,7 +722,7 @@ The following table describes the requirements and options for deploying Visio 2
-
-
+
### Packaging, publishing, and deployment requirements
Before you deploy Office by using App-V, review the following requirements.
@@ -80,10 +81,11 @@ Before you deploy Office by using App-V, review the following requirements.
+
+
@@ -101,12 +103,7 @@ Before you deploy Office by using App-V, review the following requirements.
@@ -153,10 +150,7 @@ The following table describes the recommended methods for excluding specific Off
Complete the following steps to create an Office 2016 package for App-V 5.1 or later.
-**Important**
-In App-V 5.1 and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
-
-
+>**Important** In App-V 5.1 and later, you must use the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
### Review prerequisites for using the Office Deployment Tool
@@ -182,23 +176,20 @@ The computer on which you are installing the Office Deployment Tool must have:
-
-
-
After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
-2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with description of details:
+2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with a description of details:
``` syntax
\\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml
@@ -355,41 +340,35 @@ After you download the Office 2016 applications through the Office Deployment To
- Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers.
-- Create an Office App-V package for either Subscription Licensing package or Volume Licensing by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file.
+- Create an Office App-V package for Subscription Licensing package by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file.
The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make.
+>**Note** You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
+
Product ID ="O365ProPlusRetail"Product ID ="O365ProPlusRetail "Product ID ="VisioProRetail"Product ID ="ProjectProRetail"Product ID ="ProPlusVolume"Product ID ="VisioProVolume"Product ID = "ProjectProVolume"
Sourcepath = "\\Server\Office2016"Sourcepath = "\\Server\Office2016”
Branch = "Business"
-
Product ID
-Volume Licensing
Subscription Licensing
-
<Configuration>
<Add SourcePath= "\\server\Office 2016" OfficeClientEdition="32" >
<Product ID="O365ProPlusRetail">
@@ -455,59 +432,17 @@ After you download the Office 2016 applications through the Office Deployment To
- <Configuration>
- <Add SourcePath= "\\Server\Office2016" OfficeClientEdition="32" >
- <Product ID="ProPlusVolume">
- <Language ID="en-us" />
- </Product>
- <Product ID="VisioProVolume">
- <Language ID="en-us" />
- </Product>
- </Add>
- </Configuration>
-
-
-
-
-
- ProPlusVolume.
-
-
- VisioProVolume.
@@ -540,7 +475,7 @@ After you download the Office 2016 applications through the Office Deployment To
-
+
2. Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
-### Managing Office 2016 licensing upgrades
-
-If a new Office 2016 App-V Package has a different license than the Office 2016 App-V Package currently deployed. For instance, the Office 2013 package deployed is a subscription based Office 2016 and the new Office 2016 package is Volume Licensing based, the following instructions must be followed to ensure smooth licensing upgrade:
-
-**How to upgrade an Office 2016 License**
-
-1. Unpublish the already deployed Office 2016 Subscription Licensing App-V package.
-
-2. Remove the unpublished Office 2016 Subscription Licensing App-V package.
-
-3. Restart the computer.
-
-4. Add the new Office 2016 App-V Package Volume Licensing.
-
-5. Publish the added Office 2016 App-V Package with Volume Licensing.
-
-An Office 2016 App-V Package with your chosen licensing will be successfully deployed.
### Deploying Visio 2016 and Project 2016 with Office
@@ -851,28 +763,21 @@ The following table describes the requirements and options for deploying Visio 2
-
## Additional resources
-**Office 2016 App-V Packages Additional Resources**
+[Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md)
+
+[Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md)
[Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117)
-[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://go.microsoft.com/fwlink/p/?LinkId=330680)
-
-**Office 2013 and Office 2010 App-V Packages**
-
-[Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v51.md)
-
-[Deploying Microsoft Office 2011 by Using App-V](deploying-microsoft-office-2010-by-using-app-v51.md)
-
**Connection Groups**
[Deploying Connection Groups in Microsoft App-V v5](https://go.microsoft.com/fwlink/p/?LinkId=330683)
-[Managing Connection Groups](managing-connection-groups51.md)
+[Managing Connection Groups](managing-connection-groups.md)
**Dynamic Configuration**
diff --git a/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md b/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md
index 1a49736c59..34ae20a4f8 100644
--- a/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md
+++ b/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md
@@ -29,7 +29,10 @@ Use the following procedure to view and configure default package extensions.
5. To edit other application extensions, modify the configuration file and click **Import and Overwrite this Configuration**. Select the modified file and click **Open**. In the dialog box, click **Overwrite** to complete the process.
- **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+>**Note** If the upload fails and the size of your configuration file is above 4MB, you will need to increase the maximum file size allowed by the server. This can be done by adding the maxRequestLength attribute with a value greater than the size of your configuration file (in KB) to the httpRuntime element on line 26 of C:\Program Files\Microsoft Application Virtualization Server\ManagementService\Web.config. For example, changing'
-
-
@@ -338,34 +329,26 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** coll
-
-
-
-
-
-
-
-
+
+
+
@@ -567,7 +550,11 @@ The following table lists the operating systems that are supported for MBAM Grou
-
+## MBAM In Azure IaaS
+
+The MBAM server can be deployed in Azure Infrastructure as a Service (IaaS) on any of the supported OS versions listed above, connecting to an Active Directory hosted on premises or an Active Directory also hosted in Azure IaaS. Documentation for setting up and configuring Active Directory on Azure IaaS is [here](https://msdn.microsoft.com/en-us/library/azure/jj156090.aspx).
+
+The MBAM client is not supported on virtual machines and is also not supported on Azure IaaS.
## Got a suggestion for MBAM?
diff --git a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md
index 4ec1527347..e94fb17522 100644
--- a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md
+++ b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md
@@ -76,7 +76,7 @@ Before you proceed, make sure your environment includes these requirements for r
-
+
+
+
+
+
-
+**Note:** Starting with Windows 10, version 1607, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack
Also…
diff --git a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
index 886b343e52..c1ae38e981 100644
--- a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
+++ b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
@@ -45,7 +45,7 @@ This workflow diagram provides a high-level understanding of a UE-V deployment a
-**Planning a UE-V deployment:** First, you want to do a little bit of planning so that you can determine which UE-V components you’ll be deploying. Planning a UE-V deployment involves these things:
+**Planning a UE-V deployment:** First, you want to do a little bit of planning so that you can determine which UE-V components you’ll be deploying. Planning a UE-V deployment involves these things:
- [Decide whether to synchronize settings for custom applications](#deciding)
@@ -597,15 +597,19 @@ The UE-V settings storage location and settings template catalog support storing
- Format the storage volume with an NTFS file system.
-- The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) is specifically not supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see [Microsoft’s Support Statement Around Replicated User Profile Data](https://go.microsoft.com/fwlink/p/?LinkId=313991).
+- The share can use Distributed File System (DFS) but there are restrictions.
+Specifically, Distributed File System Replication (DFS-R) single target configuration with or without a Distributed File System Namespace (DFS-N) is supported.
+Likewise, only single target configuration is supported with DFS-N.
+For detailed information, see [Microsoft’s Support Statement Around Replicated User Profile Data](https://go.microsoft.com/fwlink/p/?LinkId=313991)
+and also [Information about Microsoft support policy for a DFS-R and DFS-N deployment scenario](https://support.microsoft.com/kb/2533009).
- In addition, because SYSVOL uses DFSR for replication, SYSVOL cannot be used for UE-V data file replication.
+ In addition, because SYSVOL uses DFS-R for replication, SYSVOL cannot be used for UE-V data file replication.
- Configure the share permissions and NTFS access control lists (ACLs) as specified in [Deploying the Settings Storage Location for UE-V 2.x](http://technet.microsoft.com/library/dn458891.aspx#ssl).
- Use file server clustering along with the UE-V Agent to provide access to copies of user state data in the event of communications failures.
-- You can store the settings storage path data (user data) and settings template catalog templates on clustered shares, on DFSN shares, or on both.
+- You can store the settings storage path data (user data) and settings template catalog templates on clustered shares, on DFS-N shares, or on both.
### Synchronize computer clocks for UE-V settings synchronization
@@ -663,10 +667,10 @@ Before you proceed, make sure your environment includes these requirements for r
-
+
+
@@ -697,6 +709,9 @@ Also…
- **Administrative Credentials** for any computer on which you’ll be installing
**Note**
+
+- Starting with WIndows 10, version 1607, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack.
+
- The UE-V Windows PowerShell feature of the UE-V Agent requires .NET Framework 4 or higher and Windows PowerShell 3.0 or higher to be enabled. Download Windows PowerShell 3.0 [here](https://go.microsoft.com/fwlink/?LinkId=309609).
- Install .NET Framework 4 or .NET Framework 4.5 on computers that run the Windows 7 or the Windows Server 2008 R2 operating system. The Windows 8, Windows 8.1, and Windows Server 2012 operating systems come with .NET Framework 4.5 installed. The Windows 10 operating system comes with .NET Framework 4.6 installed.
diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md
index 4fed1981ec..98951382e3 100644
--- a/windows/deploy/TOC.md
+++ b/windows/deploy/TOC.md
@@ -5,12 +5,17 @@
### [Upgrade Analytics requirements](upgrade-analytics-requirements.md)
### [Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
### [Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
+#### [Upgrade Analytics deployment script](upgrade-analytics-deployment-script.md)
### [Use Upgrade Analytics to manage Windows upgrades](use-upgrade-analytics-to-manage-windows-upgrades.md)
-#### [Prepare your environment](upgrade-analytics-prepare-your-environment.md)
-#### [Resolve application and driver issues](upgrade-analytics-resolve-issues.md)
-#### [Deploy Windows](upgrade-analytics-deploy-windows.md)
-#### [Review site discovery](upgrade-analytics-review-site-discovery.md)
+#### [Upgrade overview](upgrade-analytics-upgrade-overview.md)
+#### [Step 1: Identify apps](upgrade-analytics-identify-apps.md)
+#### [Step 2: Resolve issues](upgrade-analytics-resolve-issues.md)
+#### [Step 3: Deploy Windows](upgrade-analytics-deploy-windows.md)
+#### [Additional insights](upgrade-analytics-additional-insights.md)
### [Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
+## [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
+### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
+### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
#### [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
@@ -50,8 +55,17 @@
## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
## [Provisioning packages for Windows 10](provisioning-packages.md)
-### [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md)
-### [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md)
+### [How provisioning works in Windows 10](provisioning-how-it-works.md)
+### [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+### [Create a provisioning package](provisioning-create-package.md)
+### [Apply a provisioning package](provisioning-apply-package.md)
+### [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+### [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+### [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+### [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+### [NFC-based device provisioning](provisioning-nfc.md)
+### [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+### [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
## [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md)
## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md)
diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md
index f7e67993e5..af095cc5b1 100644
--- a/windows/deploy/change-history-for-deploy-windows-10.md
+++ b/windows/deploy/change-history-for-deploy-windows-10.md
@@ -11,6 +11,39 @@ author: greg-lindsay
# Change history for Deploy Windows 10
This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## February 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [USMT Requirements](usmt-requirements.md) | Updated: Vista support removed and other minor changes |
+| [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) | Updated structure and content |
+| [Upgrade Analytics deployment script](upgrade-analytics-deployment-script.md) | Added as a separate page from get started |
+| [Use Upgrade Analytics to manage Windows upgrades](use-upgrade-analytics-to-manage-windows-upgrades.md) | Updated with links to new content and information about the target OS setting |
+| [Upgrade Analytics - Upgrade overview](upgrade-analytics-upgrade-overview.md) | New |
+| [Upgrade Analytics - Step 1: Identify important apps](upgrade-analytics-identify-apps.md) | Updated topic title and content |
+| [Upgrade Analytics - Step 2: Resolve app and driver issues](upgrade-analytics-resolve-issues.md) | New |
+| [Upgrade Analytics - Step 3: Deploy Windows](upgrade-analytics-deploy-windows.md) | New |
+| [Upgrade Analytics - Additional insights](upgrade-analytics-additional-insights.md) | New |
+
+## January 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New |
+| [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New |
+| [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | New |
+| [Apply a provisioning package](provisioning-apply-package.md) | New (previously published in other topics) |
+| [Create a provisioning package for Windows 10](provisioning-create-package.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Create a provisioning package with multivariant settings](provisioning-multivariant.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [How provisioning works in Windows 10](provisioning-how-it-works.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [NFC-based device provisioning](provisioning-nfc.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Windows ICD command-line interface (reference)](provisioning-command-line.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog |
+| [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) | Instructions for applying the provisioning package moved to [Apply a provisioning package](provisioning-apply-package.md) |
+| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) | Instructions for applying the provisioning package moved to [Apply a provisioning package](provisioning-apply-package.md) |
+
+
## October 2016
| New or changed topic | Description |
|----------------------|-------------|
diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
index 9591616e9d..f0830b38a4 100644
--- a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
@@ -163,6 +163,9 @@ ramdisksdidevice boot
ramdisksdipath \boot\boot.sdi
```
+>[!TIP]
+>If you start the PXE boot process, but receive the error that "The boot configuration data for your PC is missing or contains errors" then verify that \\boot directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different.
+
## PXE boot process summary
The following summarizes the PXE client boot process.
diff --git a/windows/deploy/images/ISE.PNG b/windows/deploy/images/ISE.PNG
new file mode 100644
index 0000000000..edf53101f4
Binary files /dev/null and b/windows/deploy/images/ISE.PNG differ
diff --git a/windows/deploy/images/PoC-big.png b/windows/deploy/images/PoC-big.png
new file mode 100644
index 0000000000..de73506071
Binary files /dev/null and b/windows/deploy/images/PoC-big.png differ
diff --git a/windows/deploy/images/PoC.png b/windows/deploy/images/PoC.png
index de73506071..6d7b7eb5af 100644
Binary files a/windows/deploy/images/PoC.png and b/windows/deploy/images/PoC.png differ
diff --git a/windows/deploy/images/deploy-finish.PNG b/windows/deploy/images/deploy-finish.PNG
new file mode 100644
index 0000000000..4f0d5cb859
Binary files /dev/null and b/windows/deploy/images/deploy-finish.PNG differ
diff --git a/windows/deploy/images/disk2vhd-convert.PNG b/windows/deploy/images/disk2vhd-convert.PNG
new file mode 100644
index 0000000000..f0614a5ab1
Binary files /dev/null and b/windows/deploy/images/disk2vhd-convert.PNG differ
diff --git a/windows/deploy/images/disk2vhd-gen2.PNG b/windows/deploy/images/disk2vhd-gen2.PNG
new file mode 100644
index 0000000000..7f8d920f9d
Binary files /dev/null and b/windows/deploy/images/disk2vhd-gen2.PNG differ
diff --git a/windows/deploy/images/disk2vhd.PNG b/windows/deploy/images/disk2vhd.PNG
new file mode 100644
index 0000000000..7b9835f5f6
Binary files /dev/null and b/windows/deploy/images/disk2vhd.PNG differ
diff --git a/windows/deploy/images/disk2vhd4.PNG b/windows/deploy/images/disk2vhd4.PNG
new file mode 100644
index 0000000000..97f9448441
Binary files /dev/null and b/windows/deploy/images/disk2vhd4.PNG differ
diff --git a/windows/deploy/images/five.png b/windows/deploy/images/five.png
new file mode 100644
index 0000000000..961f0e15b7
Binary files /dev/null and b/windows/deploy/images/five.png differ
diff --git a/windows/deploy/images/four.png b/windows/deploy/images/four.png
new file mode 100644
index 0000000000..0fef213b37
Binary files /dev/null and b/windows/deploy/images/four.png differ
diff --git a/windows/deploy/images/icd-create-options.PNG b/windows/deploy/images/icd-create-options.PNG
new file mode 100644
index 0000000000..e61cdd8fc0
Binary files /dev/null and b/windows/deploy/images/icd-create-options.PNG differ
diff --git a/windows/deploy/images/icd-export-menu.png b/windows/deploy/images/icd-export-menu.png
new file mode 100644
index 0000000000..20bd5258eb
Binary files /dev/null and b/windows/deploy/images/icd-export-menu.png differ
diff --git a/windows/deploy/images/icd-install.PNG b/windows/deploy/images/icd-install.PNG
new file mode 100644
index 0000000000..a0c80683ff
Binary files /dev/null and b/windows/deploy/images/icd-install.PNG differ
diff --git a/windows/deploy/images/icd-multi-target-true.png b/windows/deploy/images/icd-multi-target-true.png
new file mode 100644
index 0000000000..5fec405fd6
Binary files /dev/null and b/windows/deploy/images/icd-multi-target-true.png differ
diff --git a/windows/deploy/images/icd-multi-targetstate-true.png b/windows/deploy/images/icd-multi-targetstate-true.png
new file mode 100644
index 0000000000..7733b9c400
Binary files /dev/null and b/windows/deploy/images/icd-multi-targetstate-true.png differ
diff --git a/windows/deploy/images/icd-runtime.PNG b/windows/deploy/images/icd-runtime.PNG
new file mode 100644
index 0000000000..d63544e206
Binary files /dev/null and b/windows/deploy/images/icd-runtime.PNG differ
diff --git a/windows/deploy/images/icd-script1.png b/windows/deploy/images/icd-script1.png
new file mode 100644
index 0000000000..6c17f70809
Binary files /dev/null and b/windows/deploy/images/icd-script1.png differ
diff --git a/windows/deploy/images/icd-script2.png b/windows/deploy/images/icd-script2.png
new file mode 100644
index 0000000000..7da2ae7e59
Binary files /dev/null and b/windows/deploy/images/icd-script2.png differ
diff --git a/windows/deploy/images/icd-setting-help.PNG b/windows/deploy/images/icd-setting-help.PNG
new file mode 100644
index 0000000000..3f6e5fefa5
Binary files /dev/null and b/windows/deploy/images/icd-setting-help.PNG differ
diff --git a/windows/deploy/images/icd-settings.PNG b/windows/deploy/images/icd-settings.PNG
new file mode 100644
index 0000000000..8d3ebc3ff6
Binary files /dev/null and b/windows/deploy/images/icd-settings.PNG differ
diff --git a/windows/deploy/images/icd-step1.PNG b/windows/deploy/images/icd-step1.PNG
new file mode 100644
index 0000000000..d2ad656d35
Binary files /dev/null and b/windows/deploy/images/icd-step1.PNG differ
diff --git a/windows/deploy/images/icd-step2.PNG b/windows/deploy/images/icd-step2.PNG
new file mode 100644
index 0000000000..54e70d9193
Binary files /dev/null and b/windows/deploy/images/icd-step2.PNG differ
diff --git a/windows/deploy/images/icd-step3.PNG b/windows/deploy/images/icd-step3.PNG
new file mode 100644
index 0000000000..ecac26f3d6
Binary files /dev/null and b/windows/deploy/images/icd-step3.PNG differ
diff --git a/windows/deploy/images/icd-step4.PNG b/windows/deploy/images/icd-step4.PNG
new file mode 100644
index 0000000000..8fcfa2863b
Binary files /dev/null and b/windows/deploy/images/icd-step4.PNG differ
diff --git a/windows/deploy/images/icd-step5.PNG b/windows/deploy/images/icd-step5.PNG
new file mode 100644
index 0000000000..9e96edd812
Binary files /dev/null and b/windows/deploy/images/icd-step5.PNG differ
diff --git a/windows/deploy/images/icd-switch.PNG b/windows/deploy/images/icd-switch.PNG
new file mode 100644
index 0000000000..e46e48a648
Binary files /dev/null and b/windows/deploy/images/icd-switch.PNG differ
diff --git a/windows/deploy/images/image.PNG b/windows/deploy/images/image.PNG
new file mode 100644
index 0000000000..0bbadcb68f
Binary files /dev/null and b/windows/deploy/images/image.PNG differ
diff --git a/windows/deploy/images/multi-target.png b/windows/deploy/images/multi-target.png
new file mode 100644
index 0000000000..fb6ddd7a2d
Binary files /dev/null and b/windows/deploy/images/multi-target.png differ
diff --git a/windows/deploy/images/nfc.png b/windows/deploy/images/nfc.png
new file mode 100644
index 0000000000..bfee563205
Binary files /dev/null and b/windows/deploy/images/nfc.png differ
diff --git a/windows/deploy/images/one.png b/windows/deploy/images/one.png
new file mode 100644
index 0000000000..7766e7d470
Binary files /dev/null and b/windows/deploy/images/one.png differ
diff --git a/windows/deploy/images/package-trust.png b/windows/deploy/images/package-trust.png
new file mode 100644
index 0000000000..4a996f23d5
Binary files /dev/null and b/windows/deploy/images/package-trust.png differ
diff --git a/windows/deploy/images/package.png b/windows/deploy/images/package.png
index f5e975e3e9..535773ad95 100644
Binary files a/windows/deploy/images/package.png and b/windows/deploy/images/package.png differ
diff --git a/windows/deploy/images/packages-mobile.png b/windows/deploy/images/packages-mobile.png
new file mode 100644
index 0000000000..4ce63dde78
Binary files /dev/null and b/windows/deploy/images/packages-mobile.png differ
diff --git a/windows/deploy/images/scanos.PNG b/windows/deploy/images/scanos.PNG
new file mode 100644
index 0000000000..d53a272018
Binary files /dev/null and b/windows/deploy/images/scanos.PNG differ
diff --git a/windows/deploy/images/sccm-asset.PNG b/windows/deploy/images/sccm-asset.PNG
new file mode 100644
index 0000000000..4dacaeb565
Binary files /dev/null and b/windows/deploy/images/sccm-asset.PNG differ
diff --git a/windows/deploy/images/sccm-assets.PNG b/windows/deploy/images/sccm-assets.PNG
new file mode 100644
index 0000000000..2cc50f5758
Binary files /dev/null and b/windows/deploy/images/sccm-assets.PNG differ
diff --git a/windows/deploy/images/sccm-client.PNG b/windows/deploy/images/sccm-client.PNG
new file mode 100644
index 0000000000..45e0ad8883
Binary files /dev/null and b/windows/deploy/images/sccm-client.PNG differ
diff --git a/windows/deploy/images/sccm-collection.PNG b/windows/deploy/images/sccm-collection.PNG
new file mode 100644
index 0000000000..01a1cca4a8
Binary files /dev/null and b/windows/deploy/images/sccm-collection.PNG differ
diff --git a/windows/deploy/images/sccm-install-os.PNG b/windows/deploy/images/sccm-install-os.PNG
new file mode 100644
index 0000000000..53b314b132
Binary files /dev/null and b/windows/deploy/images/sccm-install-os.PNG differ
diff --git a/windows/deploy/images/sccm-post-refresh.PNG b/windows/deploy/images/sccm-post-refresh.PNG
new file mode 100644
index 0000000000..e116e04312
Binary files /dev/null and b/windows/deploy/images/sccm-post-refresh.PNG differ
diff --git a/windows/deploy/images/sccm-pxe.PNG b/windows/deploy/images/sccm-pxe.PNG
new file mode 100644
index 0000000000..39cb22c075
Binary files /dev/null and b/windows/deploy/images/sccm-pxe.PNG differ
diff --git a/windows/deploy/images/sccm-site.PNG b/windows/deploy/images/sccm-site.PNG
new file mode 100644
index 0000000000..92319fdbf7
Binary files /dev/null and b/windows/deploy/images/sccm-site.PNG differ
diff --git a/windows/deploy/images/sccm-software-cntr.PNG b/windows/deploy/images/sccm-software-cntr.PNG
new file mode 100644
index 0000000000..9c920c6d39
Binary files /dev/null and b/windows/deploy/images/sccm-software-cntr.PNG differ
diff --git a/windows/deploy/images/six.png b/windows/deploy/images/six.png
new file mode 100644
index 0000000000..8bf761ef20
Binary files /dev/null and b/windows/deploy/images/six.png differ
diff --git a/windows/deploy/images/three.png b/windows/deploy/images/three.png
new file mode 100644
index 0000000000..887fa270d7
Binary files /dev/null and b/windows/deploy/images/three.png differ
diff --git a/windows/deploy/images/two.png b/windows/deploy/images/two.png
new file mode 100644
index 0000000000..b8c2d52eaf
Binary files /dev/null and b/windows/deploy/images/two.png differ
diff --git a/windows/deploy/images/ua-cg-01.png b/windows/deploy/images/ua-cg-01.png
new file mode 100644
index 0000000000..4b41bd67ba
Binary files /dev/null and b/windows/deploy/images/ua-cg-01.png differ
diff --git a/windows/deploy/images/ua-cg-02.png b/windows/deploy/images/ua-cg-02.png
new file mode 100644
index 0000000000..4cbfaf26d8
Binary files /dev/null and b/windows/deploy/images/ua-cg-02.png differ
diff --git a/windows/deploy/images/ua-cg-03.png b/windows/deploy/images/ua-cg-03.png
new file mode 100644
index 0000000000..cfad7911bb
Binary files /dev/null and b/windows/deploy/images/ua-cg-03.png differ
diff --git a/windows/deploy/images/ua-cg-04.png b/windows/deploy/images/ua-cg-04.png
new file mode 100644
index 0000000000..c818d15d02
Binary files /dev/null and b/windows/deploy/images/ua-cg-04.png differ
diff --git a/windows/deploy/images/ua-cg-05.png b/windows/deploy/images/ua-cg-05.png
new file mode 100644
index 0000000000..a8788f0eb9
Binary files /dev/null and b/windows/deploy/images/ua-cg-05.png differ
diff --git a/windows/deploy/images/ua-cg-06.png b/windows/deploy/images/ua-cg-06.png
new file mode 100644
index 0000000000..ed983c96c8
Binary files /dev/null and b/windows/deploy/images/ua-cg-06.png differ
diff --git a/windows/deploy/images/ua-cg-07.png b/windows/deploy/images/ua-cg-07.png
new file mode 100644
index 0000000000..2aba43be53
Binary files /dev/null and b/windows/deploy/images/ua-cg-07.png differ
diff --git a/windows/deploy/images/ua-cg-08.png b/windows/deploy/images/ua-cg-08.png
new file mode 100644
index 0000000000..4d7f924d76
Binary files /dev/null and b/windows/deploy/images/ua-cg-08.png differ
diff --git a/windows/deploy/images/ua-cg-09.png b/windows/deploy/images/ua-cg-09.png
new file mode 100644
index 0000000000..b9aa1cea41
Binary files /dev/null and b/windows/deploy/images/ua-cg-09.png differ
diff --git a/windows/deploy/images/ua-cg-10.png b/windows/deploy/images/ua-cg-10.png
new file mode 100644
index 0000000000..54e222338d
Binary files /dev/null and b/windows/deploy/images/ua-cg-10.png differ
diff --git a/windows/deploy/images/ua-cg-11.png b/windows/deploy/images/ua-cg-11.png
new file mode 100644
index 0000000000..4e930a5905
Binary files /dev/null and b/windows/deploy/images/ua-cg-11.png differ
diff --git a/windows/deploy/images/ua-cg-12.png b/windows/deploy/images/ua-cg-12.png
new file mode 100644
index 0000000000..2fbe11b814
Binary files /dev/null and b/windows/deploy/images/ua-cg-12.png differ
diff --git a/windows/deploy/images/ua-cg-13.png b/windows/deploy/images/ua-cg-13.png
new file mode 100644
index 0000000000..f04252796e
Binary files /dev/null and b/windows/deploy/images/ua-cg-13.png differ
diff --git a/windows/deploy/images/ua-cg-14.png b/windows/deploy/images/ua-cg-14.png
new file mode 100644
index 0000000000..6105fdf4d1
Binary files /dev/null and b/windows/deploy/images/ua-cg-14.png differ
diff --git a/windows/deploy/images/ua-cg-15.png b/windows/deploy/images/ua-cg-15.png
new file mode 100644
index 0000000000..5362db66da
Binary files /dev/null and b/windows/deploy/images/ua-cg-15.png differ
diff --git a/windows/deploy/images/ua-cg-16.png b/windows/deploy/images/ua-cg-16.png
new file mode 100644
index 0000000000..6d5b8a84b6
Binary files /dev/null and b/windows/deploy/images/ua-cg-16.png differ
diff --git a/windows/deploy/images/ua-cg-17.png b/windows/deploy/images/ua-cg-17.png
new file mode 100644
index 0000000000..d66c41917b
Binary files /dev/null and b/windows/deploy/images/ua-cg-17.png differ
diff --git a/windows/deploy/images/upgrade-analytics-unsubscribe.png b/windows/deploy/images/upgrade-analytics-unsubscribe.png
new file mode 100644
index 0000000000..402db94d6f
Binary files /dev/null and b/windows/deploy/images/upgrade-analytics-unsubscribe.png differ
diff --git a/windows/deploy/index.md b/windows/deploy/index.md
index 38c64b3abc..b2d4ab858c 100644
--- a/windows/deploy/index.md
+++ b/windows/deploy/index.md
@@ -5,6 +5,7 @@ ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+localizationpriority: high
author: greg-lindsay
---
@@ -17,6 +18,7 @@ Learn about deploying Windows 10 for IT professionals.
|------|------------|
|[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
|[Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) |With Upgrade Analytics, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
+|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. |
|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
|[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
@@ -24,8 +26,7 @@ Learn about deploying Windows 10 for IT professionals.
|[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
|[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
-| [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) | Create a provisioning package to apply commonly used settings to a PC running Windows 10. |
-| [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md) | Create a provisioning package to add apps and certificates to a PC running Windows 10. |
+| [Provisioning packages for Windows 10](provisioning-packages.md) | Learn how to use the Windows Imaging and Configuration Designer (ICD) and provisioning packages to easily configure multiple devices. |
|[Windows 10 upgrade paths](windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. |
|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
|[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |
diff --git a/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md b/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md
index b75fb8989c..a7d55fda76 100644
--- a/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md
+++ b/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md
@@ -2,7 +2,7 @@
title: Manage Windows upgrades with Upgrade Analytics (Windows 10)
description: Provides an overview of the process of managing Windows upgrades with Upgrade Analytics.
ms.prod: w10
-author: MaggiePucciEvans
+author: greg-lindsay
---
# Manage Windows upgrades with Upgrade Analytics
@@ -18,17 +18,11 @@ With Windows telemetry enabled, Upgrade Analytics collects system, application,
Use Upgrade Analytics to get:
- A visual workflow that guides you from pilot to production
-
- Detailed computer and application inventory
-
- Powerful computer level search and drill-downs
-
- Guidance and insights into application and driver compatibility issues, with suggested fixes
-
- Data driven application rationalization tools
-
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
-
- Data export to commonly used software deployment tools, including System Center Configuration Manager
The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
@@ -36,22 +30,14 @@ The Upgrade Analytics workflow steps you through the discovery and rationalizati
**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
-
- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-
- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
##**Related topics**
-[Upgrade Analytics architecture](upgrade-analytics-architecture.md)
-
-[Upgrade Analytics requirements](upgrade-analytics-requirements.md)
-
-[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
-
-[Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
-
-[Use Upgrade Analytics to manage Windows upgrades](use-upgrade-analytics-to-manage-windows-upgrades.md)
-
-[Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
-
+[Upgrade Analytics architecture](upgrade-analytics-architecture.md)
+[Upgrade Analytics requirements](upgrade-analytics-requirements.md)
+[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
+[Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
+[Use Upgrade Analytics to manage Windows upgrades](use-upgrade-analytics-to-manage-windows-upgrades.md)
+[Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
diff --git a/windows/deploy/provision-pcs-for-initial-deployment.md b/windows/deploy/provision-pcs-for-initial-deployment.md
index fe8b805133..86c8e234ff 100644
--- a/windows/deploy/provision-pcs-for-initial-deployment.md
+++ b/windows/deploy/provision-pcs-for-initial-deployment.md
@@ -4,7 +4,7 @@ description: Create a provisioning package to apply common settings to a PC runn
ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
keywords: ["runtime provisioning", "provisioning package"]
ms.prod: W10
-ms.mktglfcycl: manage
+ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
@@ -92,40 +92,30 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
> [!IMPORTANT]
> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-## Apply package
-1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
-
- 
-
-2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
-
- 
-
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-
- 
-
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
-
- 
-
-5. Select **Yes, add it**.
-
- 
-
+ **Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
## Learn more
-- [Build and apply a provisioning package]( https://go.microsoft.com/fwlink/p/?LinkId=629651)
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+## Related topics
-
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
diff --git a/windows/deploy/provision-pcs-with-apps-and-certificates.md b/windows/deploy/provision-pcs-with-apps-and-certificates.md
index 2a918f8202..6e4614a977 100644
--- a/windows/deploy/provision-pcs-with-apps-and-certificates.md
+++ b/windows/deploy/provision-pcs-with-apps-and-certificates.md
@@ -4,7 +4,7 @@ description: Create a provisioning package to apply settings to a PC running Win
ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
keywords: ["runtime provisioning", "provisioning package"]
ms.prod: W10
-ms.mktglfcycl: manage
+ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
@@ -57,7 +57,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option.
> [!NOTE]
-> If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/library/windows/hardware/mt703295%28v=vs.85%29.aspx).
+> If you are installing more than one app, then use `CommandLine` to invoke the script or batch file that orchestrates installation of the files. For more information, see [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md).
### Add a universal app to your package
@@ -170,66 +170,27 @@ If your build is successful, the name of the provisioning package, output direct
-## Apply package
-
-### During initial setup, from a USB drive
-
-1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
-
- 
-
-2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
-
- 
-
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-
- 
-
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
-
- 
-
-5. Select **Yes, add it**.
-
- 
-
-6. Read and accept the Microsoft Software License Terms.
-
- 
-
-7. Select **Use Express settings**.
-
- 
-
-8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
-
- 
-
-9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
-
- 
-
-10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
-
- 
-
-
-### After setup, from a USB drive, network folder, or SharePoint site
-
-On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install.
-
-
+**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
## Learn more
-- [Build and apply a provisioning package]( https://go.microsoft.com/fwlink/p/?LinkId=629651)
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-
-
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
diff --git a/windows/deploy/provisioning-apply-package.md b/windows/deploy/provisioning-apply-package.md
new file mode 100644
index 0000000000..1125dd6985
--- /dev/null
+++ b/windows/deploy/provisioning-apply-package.md
@@ -0,0 +1,119 @@
+---
+title: Apply a provisioning package (Windows 10)
+description: Provisioning packages can be applied to a device during the first-run experience (OOBE) and after ("runtime").
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Apply a provisioning package
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
+
+## Desktop editions
+
+### During initial setup, from a USB drive
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+ 
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+ 
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+ 
+
+5. Select **Yes, add it**.
+
+ 
+
+6. Read and accept the Microsoft Software License Terms.
+
+ 
+
+7. Select **Use Express settings**.
+
+ 
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+ 
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+ 
+
+10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+ 
+
+### After setup, from a USB drive, network folder, or SharePoint site
+
+On a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
+
+
+
+## Mobile editions
+
+### Using removable media
+
+1. Insert an SD card containing the provisioning package into the device.
+2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
+
+ 
+
+3. Click **Add**.
+
+4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
+
+ 
+
+### Copying the provisioning package to the device
+
+1. Connect the device to your PC through USB.
+
+2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device.
+
+3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
+
+ 
+
+
+
+
+
+## Learn more
+
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
\ No newline at end of file
diff --git a/windows/deploy/provisioning-command-line.md b/windows/deploy/provisioning-command-line.md
new file mode 100644
index 0000000000..d5c52aabac
--- /dev/null
+++ b/windows/deploy/provisioning-command-line.md
@@ -0,0 +1,68 @@
+---
+title: Windows ICD command-line interface (Windows 10)
+description:
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Windows ICD command-line interface (reference)
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+You can use the Windows Imaging and Configuration Designer (ICD) command-line interface (CLI) to automate the building of provisioning packages and Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 10 Mobile or Windows 10 IoT Core (IoT Core) images.
+
+- IT pros can use the Windows ICD CLI to require less re-tooling of existing processes. You must run the Windows ICD CLI from a command window with administrator privileges.
+
+- You must use the Windows ICD CLI and edit the customizations.xml sources to create an image and/or provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows ICD CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
+
+
+
+## Syntax
+
+```
+icd.exe /Build-ProvisioningPackage /CustomizationXML:
+
+
+For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows ICD when you select the setting, as shown in the following image.
+
+
+
+
+ ## Build package
+
+1. After you're done configuring your customizations, click **Export** and select **Provisioning Package**.
+
+ 
+
+2. In the **Describe the provisioning package** window, enter the following information, and then click **Next**:
+ - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field.
+ - **Version (in Major.Minor format** - - Optional. You can change the default package version by specifying a new value in the **Version** field.
+ - **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages).
+ - **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0.
+
+3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate. Both selections are optional. Click **Next** after you make your selections.
+
+ - **Encrypt package** - If you select this option, an auto-generated password will be shown on the screen.
+ - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
+
+ >[!NOTE]
+ >You should only configure provisioning package security when the package is used for device provisioning and the package has contents with sensitive security data such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device.
+ >
+ >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner.
+
+4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows ICD uses the project folder as the output location.
+
+5. In the **Build the provisioning package** window, click **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+
+ If you need to cancel the build, click Cancel. This cancels the current build process, closes the wizard, and takes you back to the Customizations Page.
+
+6. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+
+ If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+ If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+
+7. When you are done, click **Finish** to close the wizard and go back to the Customizations page.
+
+**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
+
+## Learn more
+
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+
+
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
\ No newline at end of file
diff --git a/windows/deploy/provisioning-how-it-works.md b/windows/deploy/provisioning-how-it-works.md
new file mode 100644
index 0000000000..1f9b72eb6c
--- /dev/null
+++ b/windows/deploy/provisioning-how-it-works.md
@@ -0,0 +1,184 @@
+---
+title: How provisioning works in Windows 10 (Windows 10)
+description: A provisioning package (.ppkg) is a container for a collection of configuration settings.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# How provisioning works in Windows 10
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 devices. Windows Imaging and Configuration Designer (Windows ICD) is a tool that makes it easy to create a provisioning package. Windows ICD is contained in the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
+
+## Provisioning packages
+
+A provisioning package contains specific configurations/settings and assets that can be provided through a removable media or simply downloaded to the device.
+
+To enable adding multiple sets of settings or configurations, the configuration data used by the provisioning engine is built out of multiple configuration sources that consist of separate provisioning packages. Each provisioning package contains the provisioning data from a different source.
+
+A provisioning package (.ppkg) is a container for a collection of configuration settings. The package has the following format:
+
+- Package metadata – The metadata contains basic information about the package such as package name, description, version, ranking, and so on.
+
+- XML descriptors – Each descriptor defines a customization asset or configuration setting included in the package.
+
+- Asset payloads – The payloads of a customization asset or a configuration setting associated with an app or data asset.
+
+You can use provisioning packages for runtime device provisioning by accessing the package on a removable media attached to the device, through near field communication (NFC), or by downloading from a remote source location.
+
+## Precedence for provisioning packages
+
+When multiple provisioning packages are available for device provisioning, the combination of package owner type and package rank level defined in the package manifest is used to resolve setting conflicts. The pre-defined package owner types are listed below in the order of lowest to highest owner type precedence:
+
+1. Microsoft
+
+2. Silicon Vender
+
+3. OEM
+
+4. System Integrator
+
+5. Mobile Operator
+
+6. IT Admin
+
+The valid value range of package rank level is 0 to 99.
+
+When setting conflicts are encountered, the final values provisioned on the device are determined by the owner type precedence and the rank level of the packages containing the settings. For example, the value of a setting in a package with owner **System Integrator** and rank level **3** takes precedence over the same setting in a package with owner **OEM** and rank level **4**. This is because the System Integrator owner type has the higher precedence over the OEM owner type. For packages with the same owner type, the package rank level determines the package from which the setting values get provisioned on the device.
+
+## Windows provisioning XML
+
+Windows provisioning XML is the framework that allows Microsoft and OEM components to declare end-user configurable settings and the on-device infrastructure for applying the settings with minimal work by the component owner.
+
+Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows ICD to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows ICD translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format.
+
+When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the Windows provisioning CSP. The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use.
+
+## Provisioning engine
+
+The provisioning engine is the core component for managing provisioning and configuration at runtime in a device running Windows 10.
+
+The provisioning engine provides the following functionality:
+
+- Provisioning configuration at any time when the device is running including first boot and setup or OOBE. It is also extensible to other points during the run-time of the device.
+- Reading and combining settings from multiple sources of configuration that may be added to an image by Microsoft, the OEM, or system integrator, or added by IT/education administrators or users to the device at run-time. Configuration sources may be built into the image or from provisioning packages added to the device.
+- Responding to triggers or events and initiating a provisioning stage.
+- Authenticating the provisioning packages.
+- Selecting a set of configuration based on the stage and a set of keys—such as the SIM, MCC/MNC, IMSI range, and so on—that map to a specific configuration then passing this configuration to the configuration management infrastructure to be applied.
+- Working with OOBE and the control panel UI to allow user selection of configuration when a specific match cannot be determined.
+
+## Configuration manager
+
+The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to Configuration Service Providers (CSPs) to perform the specific management requests and settings.
+
+The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied.
+
+Underneath the configuration manager are the CSPs. Each section of configuration translates to a particular CSP to handle interpreting into an action on the device. Each CSP translates the instructions in the configuration and calls into the appropriate APIs and components to perform the requested provisioning actions.
+
+## Policy and resource manager
+
+The policy, resource, and context manager components manage the enrollment and unenrollment of devices into enterprise environments. The enrollment process into an enterprise is essentially the provisioning of configuration and device management policies that the enterprise wants to enforce on the device. This is usually done through the explicit signing up of the device to an enterprise's device management server over a network connection. This provides the user with the ability to access the enterprise's resources through the device and the enterprise with a means to manage and control access and manage and control the device itself.
+
+The key differences between enterprise enrollment and the configuration performed by the provisioning engine are:
+- Enrollment enforces a limited and controlled set of policies on the device that the user may not have full control over. The provisioning engine exposes a larger set of settings that configure more aspects of the device and are generally user adjustable.
+- The policy manager manages policy settings from multiple entities and performs a selection of the setting based on priority of the entities. The provisioning engine applies the settings and does not offer a means of prioritizing settings from different sources. The more specific provisioning is the last one applied and the one that is used.
+- Individual policy settings applied from different enrollment entities are stored so they can be removed later during unenrollment. This enables the user to remove enterprise policy and return the device to a state without the enterprise restrictions and any sensitive data. The provisioning engine does not maintain individual provisioning settings or a means to roll back all applied settings.
+
+In Windows 10, the application of policy and enrollment through provisioning is required to support cases where an enterprise or educational institution does not have a DM server for full device management. The provisioning engine supports provisioning enrollment and policy through its configuration and integrates with the existing policy and resource manager components directly or through the configuration manager.
+
+## Triggers and stages
+
+Triggers are events during the lifetime of the system that start a provisioning stage. Some examples of triggers are: boot, OOBE, SIM change, user added, administrator added, user login, device update, and various manual triggers (such as deployment over USB or launched from an email attachment or USB flash drive).
+
+When a trigger occurs, provisioning is initiated for a particular provisioning stage. The stages are grouped into sets based on the scope of the settings:
+- **Static**: First stage run for provisioning to apply configuration settings to the system to set up OOBE or apply device-wide settings that cannot be done when the image is being created.
+- **System**: Run during OOBE and configure system-wide settings.
+- **UICC**: UICC stages run for each new UICC in a device to handle configuration and branding based on the identity of the UICC or SIM card. This enables the runtime configuration scenarios where an OEM can maintain one image that can be configured for multiple operators.
+- **Update**: Runs after an update to apply potential updated settings changes.
+- **User**: runs during a user account first run to configure per-user settings.
+
+
+
+
+
+
+
+
+
+## Device provisioning during OOBE
+
+The provisioning engine always applies provisioning packages persisted in the C:\Recovery\Customizations folder on the OS partition. When the provisioning engine applies provisioning packages in the %ProgramData%\Microsoft\Provisioning folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect.
+
+Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured. On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key. When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media.
+
+The following table shows how device provisioning can be initiated when a user first boots to OOBE.
+
+
+| Package delivery | Initiation method | Supported device |
+| --- | --- | --- |
+| Removable media - USB drive or SD card (Packages must be placed at media root) | 5 fast taps on the Windows key to launch the provisioning UI |All Windows devices |
+| From an administrator device through machine to machine NFC or NFC tag(The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows 10 Mobile devices and IoT Core devices |
+
+The provisioning engine always copies the acquired provisioning packages to the %ProgramData%\Microsoft\Provisioning folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device.
+
+When the provisioning engine applies provisioning packages during OOBE, it applies only the runtime settings from the package to the device. Runtime settings can be system-wide configuration settings, including security policy, Windows app install/uninstall, network configuration, bootstrapping MDM enrollment, provisioning of file assets, account and domain configuration, Windows edition upgrade, and more. The provisioning engine also checks for the configuration settings on the device, such as region/locale or SIM card, and applies the multivariant settings with matching condition(s).
+
+## Device provisioning at runtime
+
+At device runtime, standalone provisioning packages can be applied by user initiation. Only runtime configuration settings including multivariant settings contained in a provisioning package can be applied at device runtime.
+
+The following table shows when provisioning at device runtime can be initiated.
+
+| Package delivery | Initiation method | Supported device |
+| --- | --- | --- |
+| Removable media - USB drive or SD card(Packages must be placed at media root) | **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** | All Windows devices |
+| Downloaded from a network connection and copied to a local folder | Double-click the package file | Windows 10 for desktop editions devices |
+| From an administrator device connected to the target device through USB tethering | Drag and drop the package file onto the target device | Windows 10 Mobile devices and IoT Core devices |
+
+When applying provisioning packages from a removable media attached to the device, the Settings UI allows viewing contents of a package before selecting the package for provisioning. To minimize the risk of the device being spammed by applying provisioning packages from unknown sources, a provisioning package can be signed and encrypted. Partners can also set policies to limit the application of provisioning packages at device runtime. Applying provisioning packages at device runtime requires administrator privilege. If the package is not signed or trusted, a user must provide consent before the package is applied to the device. If the package is encrypted, a valid password is needed to decrypt the package before it can be applied to the device.
+
+When applying multiple provisioning packages to a device, the provisioning engine resolves settings with conflicting configuration values from different packages by evaluating the package ranking using the combination of package owner type and package rank level defined in the package metadata. A configuration setting applied from a provisioning package with the highest package ranking will be the final value applied to the device.
+
+After a standalone provisioning package is applied to the device, the package is persisted in the %ProgramData%\Microsoft\Provisioning folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. However, Windows 10 doesn't provide an uninstall option to revert runtime settings when removing a provisioning package from the device.
+
+
+## Learn more
+
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deploy/provisioning-install-icd.md b/windows/deploy/provisioning-install-icd.md
new file mode 100644
index 0000000000..9727bc089d
--- /dev/null
+++ b/windows/deploy/provisioning-install-icd.md
@@ -0,0 +1,106 @@
+---
+title: Install Windows Imaging and Configuration Designer (Windows 10)
+description: Learn how to install and run Windows ICD.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Install Windows Imaging and Configuration Designer (ICD)
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Use the Windows Imaging and Configuration Designer (ICD) tool in the Windows Assessment and Deployment Kit (ADK) to create provisioning packages to easily configure devices running Windows 10. Windows ICD is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices.
+
+## Supported platforms
+
+Windows ICD can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core. You can run Windows ICD on the following operating systems:
+
+- Windows 10 - x86 and amd64
+- Windows 8.1 Update - x86 and amd64
+- Windows 8.1 - x86 and amd64
+- Windows 8 - x86 and amd64
+- Windows 7 - x86 and amd64
+- Windows Server 2016
+- Windows Server 2012 R2 Update
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+## Install Windows ICD
+
+1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511 or version 1607).
+
+ >[!NOTE]
+ >The rest of this procedure uses Windows ADK for Windows 10, version 1607 as an example.
+
+2. Save **adksetup.exe** and then run it.
+
+3. On the **Specify Location** page, select an installation path and then click **Next**.
+ >[!NOTE]
+ >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows ICD, the space requirement is approximately 32 MB.
+4. Make a selection on the **Windows Kits Privacy** page, and then click **Next**.
+
+5. Accept the **License Agreement**, and then click **Next**.
+
+6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**.
+
+ 
+
+## Current Windows ICD limitations
+
+
+- You can only run one instance of Windows ICD on your computer at a time.
+
+- Be aware that when adding apps and drivers, all files stored in the same folder will be imported and may cause errors during the build process.
+
+- The Windows ICD UI does not support multivariant configurations. Instead, you must use the Windows ICD command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
+
+- While you can open multiple projects at the same time within Windows ICD, you can only build one project at a time.
+
+- In order to enable the simplified authoring jscripts to work on a server SKU running Windows ICD, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security** -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**.
+
+- If you copy a Windows ICD project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC.
+
+ For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows ICD. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows ICD might attempt to resolve the path to the files that point to the original PC.
+
+- **Recommended**: Before starting, copy all source files to the PC running Windows ICD, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device.
+
+**Next step**: [How to create a provisioning package](provisioning-create-package.md)
+
+## Learn more
+
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deploy/provisioning-multivariant.md b/windows/deploy/provisioning-multivariant.md
new file mode 100644
index 0000000000..3bc7652233
--- /dev/null
+++ b/windows/deploy/provisioning-multivariant.md
@@ -0,0 +1,322 @@
+---
+title: Create a provisioning package with multivariant settings (Windows 10)
+description: Create a provisioning package with multivariant settings to customize the provisioned settings.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Create a provisioning package with multivariant settings
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Multivariant provisioning packages enable you to create a single provisioning package that can work for multiple locales.
+
+To provision multivariant settings, you must create a provisioning package with defined **Conditions** and **Settings** that are tied to these conditions. When you install this package on a Windows 10 device, the provisioning engine applies the matching condition settings at every event and triggers provisioning.
+
+The following events trigger provisioning on Windows 10 devices:
+
+| Event | Windows 10 Mobile | Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) |
+| --- | --- | --- |
+| System boot | Supported | Supported |
+| Operating system update | Supported | Planned |
+| Package installation during device first run experience | Supported | Supported |
+| Detection of SIM presence or update | Supported | Not supported |
+| Package installation at runtime | Supported | Supported |
+| Roaming detected | Supported | Not supported |
+
+## Target, TargetState, Condition, and priorities
+
+Targets describe keying for a variant and must be described or pre-declared before being referenced by the variant.
+
+- You can define multiple **Target** child elements for each **Id** that you need for the customization setting.
+
+- Within a **Target** you can define multiple **TargetState** elements.
+
+- Within a **TargetState** element you can create multiple **Condition** elements.
+
+- A **Condition** element defines the matching type between the condition and the specified value.
+
+The following table shows the conditions supported in Windows 10 provisioning:
+
+>[!NOTE]
+>You can use any of these supported conditions when defining your **TargetState**.
+
+| Condition Name | Condition priority | Windows 10 Mobile | Windows 10 for desktop editions | Value type | Value description |
+| --- | --- | --- | --- | --- | --- |
+| MNC | P0 | Supported | N/A | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. |
+| MCC | P0 | Supported | N/A | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. |
+| SPN | P0 | Supported | N/A | String | Use to target settings based on the Service Provider Name (SPN) value. |
+| PNN | P0 | Supported | N/A | String | Use to target settings based on public land mobile network (PLMN) Network Name value. |
+| GID1 | P0 | Supported | N/A | Digit string | Use to target settings based on the Group Identifier (level 1) value. |
+| ICCID | P0 | Supported | N/A | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. |
+| Roaming | P0 | Supported | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). |
+| UICC | P0 | Supported | N/A | Enumeration | Use to specify the UICC state. Set the value to one of the following:- 0 - Empty- 1 - Ready- 2 - Locked |
+| UICCSLOT | P0 | Supported | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:- 0 - Slot 0- 1 - Slot 1 |
+| ProcessorType | P1 | Supported | Supported | String | Use to target settings based on the processor type. |
+| ProcessorName | P1 | Supported | Supported | String | Use to target settings based on the processor name. |
+| AoAc | P1 | Supported | Supported | Boolean | Set the value to 0 or 1. |
+| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the POWER_PLATFORM_ROLE enumeration. |
+| Architecture | P1 | Supported | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. |
+| Server | P1 | Supported | Supported | Boolean | Set the value to 0 or 1. |
+| Region | P1 | Supported | Supported | Enumeration | Use to target settings based on country/region. |
+| Lang | P1 | Supported | Supported | Enumeration | Use to target settings based on language code. |
+| ROMLANG | P1 | Supported | N/A | Digit string | Use to specify the PhoneROMLanguage that's set for DeviceTargeting. This condition is used primarily to detect variants for China. For example, you can use this condition and set the value to "0804". |
+
+The matching types supported in Windows 10 are:
+
+| Matching type | Syntax | Example |
+| --- | --- | --- |
+| Straight match | Matching type is specified as-is | <Condition Name="ProcessorName" Value="Barton" /> |
+| Regex match | Matching type is prefixed by "Pattern:" | <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> |
+| Numeric range match | Matching type is prefixed by "!Range:" | <Condition Name="MNC" Value="!Range:400, 550" /> |
+
+
+- When all **Condition** elements are TRUE, **TargetState** is TRUE (**AND** logic).
+
+- If any of the **TargetState** elements is TRUE, **Target** is TRUE (**OR** logic), and **Id** can be used for the setting customization.
+
+
+You can define more than one **TargetState** within a provisioning package to apply variant settings that match device conditions. When the provisioning engine evalues each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the variant settings are applied, the system assigns a priority to every **TargetState**.
+
+A variant setting that matches a **TargetState** with a lower priority is applied before the variant that matches a **TargetState** with a higher priority. Variant settings that match more than one **TargetState** with equal priority are applied according to the order that each **TargetState** is defined in the provisioning package.
+
+The **TargetState** priority is assigned based on the conditions priority and the priority evaluation rules are as followed:
+
+1. **TargetState** with P0 conditions is higher than **TargetState** without P0 conditions.
+
+
+2. **TargetState** with P1 conditions is higher than **TargetState** without P0 and P1 conditions.
+
+
+3. If N₁>N₂>0, the **TargetState** priority with N₁ P0 conditions is higher than the **TargetState** with N₂ P1 conditions.
+
+
+4. For **TargetState** without P0 conditions, if N₁>N₂>0 **TargetState** with N₁ P1 conditions is higher than the **TargetState** with N₂ P1 conditions.
+
+
+5. For **TargetState** without P0 and P1 conditions, if N₁>N₂>0 **TargetState** priority with N₁ P2 conditions is higher than the **TargetState** with N₂ P2 conditions.
+
+
+6. For rules 3, 4, and 5, if N₁=N₂, **TargetState** priorities are considered equal.
+
+
+## Create a provisioning package with multivariant settings
+
+Follow these steps to create a provisioning package with multivariant capabilities.
+
+
+1. Build a provisioning package and configure the customizations you need to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md).
+
+
+2. After you've [configured the settings](provisioning-create-package.md#configure-settings), save the project.
+
+
+3. Open the project folder and copy the customizations.xml file.
+
+4. Use an XML or text editor to open the customizations.xml file.
+
+ The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The Customizations node contains a Common section, which contains the customization settings.
+
+ The following example shows the contents of a sample customizations.xml file.
+
+ ```XML
+
+Expand a category.  Select a setting.  Enter a value for the setting. Click **Add** if the button is displayed.  Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and additional settings are displayed.  When the setting is configured, it is displayed in the **Selected customizations** pane. 
The receiving device uses this information to understand information in the Data field. |
+| **Data** | Tag data with small header in raw binary format that contains a chunk of the provisioning package to be transferred. |
+
+
+
+### NFC provisioning helper
+
+The NFC provisioning helper device must split the provisioning package raw content into multiple parts and publish these in order. Each part should follow the following format:
+
+
+
+For each part:
+- **Version** should always be 0x00.
+- **Leading byte** should always be 0xFF.
+- **Order** represents which message chunk (out of the whole message) the part belongs to. The Order begins with zero (0).
+- **Total** represents the total number of chunks to be transferred for the whole message.
+- **Chunk payload** represents each of the split parts.
+
+The NFC provisioning helper device must publish the record in a type of Windows.ProvPlugins.Chunk.
+
+**Code example**
+
+The following example shows how to write to an NFC tag. This example assumes that the tag is already in range of the writing device.
+
+```
+ private async void WriteProvPkgToTag(IStorageFile provPkgFile)
+ {
+ var buffer = await FileIO.ReadBufferAsync(provPkgFile);
+ if (null == buffer)
+ {
+ return;
+ }
+
+ var proximityDevice = Windows.Networking.Proximity.ProximityDevice.GetDefault();
+ if (null == proximityDevice)
+ {
+ return;
+ }
+
+ var dataWriter = new DataWriter();
+ var header = new NfcProvHeader();
+
+ header.version = NFC_PROV_MESSAGE_CURRENT_VERSION; // Currently the supported version is 0x00.
+ header.leading = NFC_PROV_MESSAGE_LEADING_BYTE; // The leading byte should be always 0xFF.
+ header.index = 0; // Assume we only have 1 chunk.
+ header.total = 1; // Assume we only have 1 chunk.
+
+ // Write the header first and then the raw data of the provisioning package.
+ dataWriter.WriteBytes(GetBytes(header));
+ dataWriter.WriteBuffer(buffer);
+
+ var chunkPubId = proximityDevice.PublishBinaryMessage(
+ "Windows:WriteTag.ProvPlugins.Chunk",
+ dataWriter.DetachBuffer());
+ }
+```
+
+
+### NFC-enabled device tag components
+
+Provisioning from an NFC-enabled source device allows for larger provisioning packages than can be transferred using an NFC tag. When provisioning from an NFC-enabled device, we recommend that the total file size not exceed 120 KB. Be aware that the larger the NFC file is, the longer it will take to transfer the provisioning file. Depending on your NFC hardware, the transfer time for a 120 KB file will vary between 2.5 seconds and 10 seconds.
+
+To provision from an NFC-enabled source device, use [ProximityDevice class API](https://msdn.microsoft.com/library/windows/apps/windows.networking.proximity.proximitydevice.aspx) to write your own custom tool that transfers your provisioning package in chunks to your target mobile device. The tool must publish binary messages (transmit) a Header message, followed by one or more Chunk messages. The Header specifies the total amount of data that will be transferred to the target device; the Chunks must contain binary raw data formatted provisioning data, as shown in the NFC tag components section.
+
+For detailed information and code samples on how to implement an NFC-enabled device tag, see **ConvertToNfcMessageAsync** in [this GitHub NfcProvisioner Universal Windows app example](https://github.com/Microsoft/Windows-universal-samples/blob/master/Samples/NfcProvisioner/cs/Scenario1.xaml.cs). The sample app shows you how to host the provisioning package on a master device so that you can transfer it to the receiving device.
+
+
+
+
+
+
+
+## Related topics
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deploy/provisioning-packages.md b/windows/deploy/provisioning-packages.md
index 47223a7427..557bf3e595 100644
--- a/windows/deploy/provisioning-packages.md
+++ b/windows/deploy/provisioning-packages.md
@@ -3,9 +3,8 @@ title: Provisioning packages (Windows 10)
description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
ms.prod: w10
-ms.mktglfcycl: explore
+ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: mobile
author: jdeckerMS
localizationpriority: high
---
@@ -18,19 +17,21 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
-Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
+Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
-With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
-## New in Windows 10, Version 1607
+The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Imaging and Configuration Designer (ICD), a tool for configuring provisioning packages.
-The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. Windows ICD for Windows 10, Version 1607, simplifies common provisioning scenarios.
+## New in Windows 10, version 1607
+
+Windows ICD for Windows 10, version 1607, simplifies common provisioning scenarios.
-Windows ICD in Windows 10, Version 1607, supports the following scenarios for IT administrators:
+Windows ICD in Windows 10, version 1607, supports the following scenarios for IT administrators:
* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner.
@@ -48,7 +49,7 @@ Windows ICD in Windows 10, Version 1607, supports the following scenarios for IT
* Other MDMs (cert-based enrollment)
> [!NOTE]
-> Windows ICD in Windows 10, Version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index).
+> Windows ICD in Windows 10, version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index).
## Benefits of provisioning packages
@@ -74,7 +75,7 @@ Provisioning packages can be:
## What you can configure
-The following table provides some examples of what can be configured using provisioning packages.
+The following table provides some examples of what you can configure using provisioning packages.
| Customization options | Examples |
|--------------------------|-----------------------------------------------------------------------------------------------|
@@ -92,42 +93,26 @@ The following table provides some examples of what can be configured using provi
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
-## Creating a provisioning package
-
-
-With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must [install the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
-
-When you run ADKsetup.exe for Windows 10, version 1607, select the following feature from the **Select the features you want to install** dialog box:
-
-- **Configuration Designer**
-
-
-
-> [!NOTE]
-> In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features.
-
-After you install Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkID=629651).
-
-## Applying a provisioning package to a device
-
-
-Provisioning packages can be applied both during image deployment and during runtime. For information on how to apply a provisioning package to a Windows 10-based device, see [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkID=629651).
-
## Learn more
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-[Windows 10: Deployment](https://go.microsoft.com/fwlink/p/?LinkId=533708)
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
## Related topics
-- [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md)
-- [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md)
-- [Configure devices without MDM](../manage/configure-devices-without-mdm.md)
-- [Set up a shared or guest PC with Windows 10](../manage/set-up-shared-or-guest-pc.md)
-- [Configure devices without MDM](../manage/configure-devices-without-mdm.md)
-- [Set up a device for anyone to use (kiosk mode)](../manage/set-up-a-device-for-anyone-to-use.md)
-- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](../manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-- [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain)
+- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md)
+- [Create a provisioning package](provisioning-create-package.md)
+- [Apply a provisioning package](provisioning-apply-package.md)
+- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
+- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md)
+- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
+- [NFC-based device provisioning](provisioning-nfc.md)
+- [Windows ICD command-line interface (reference)](provisioning-command-line.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+
diff --git a/windows/deploy/provisioning-script-to-install-app.md b/windows/deploy/provisioning-script-to-install-app.md
new file mode 100644
index 0000000000..8754c66299
--- /dev/null
+++ b/windows/deploy/provisioning-script-to-install-app.md
@@ -0,0 +1,222 @@
+---
+title: Use a script to install a desktop app in provisioning packages (Windows 10)
+description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Use a script to install a desktop app in provisioning packages
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+This walkthrough describes how to leverage the ability to include scripts in a Windows 10 provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed, however, some care is needed in order to avoid unintended behavior during script execution (see Remarks below).
+
+>**Prerequisite**: [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), version 1511 or higher
+
+>[!NOTE]
+>This scenario is only supported for installing applications on Windows 10 for desktop, version 1511 or higher.
+
+## Assemble the application assets
+
+1. On the device where you’re authoring the package, place all of your assets in a known location. Each asset must have a unique filename, because all files will be copied to the same temp directory on the device. It’s common for many apps to have an installer called ‘install.exe’ or similar, and there may be name overlap because of that. To fix this, you can use the technique described in the next step to include a complete directory structure that is then expanded into the temp directory on the device. The most common use for this would be to include a subdirectory for each application.
+
+2. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages.
+
+## Cab the application assets
+
+1. Create a .DDF file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory.
+
+ ```
+ ;*** MSDN Sample Source Code MakeCAB Directive file example
+
+ ;
+
+ .OPTION EXPLICIT ; Generate errors on variable typos
+
+ .set DiskDirectoryTemplate=CDROM ; All cabinets go in a single directory
+
+ .Set MaxDiskFileCount=1000; Limit file count per cabinet, so that
+
+ ; scanning is not too slow
+
+ .Set FolderSizeThreshold=200000 ; Aim for ~200K per folder
+
+ .Set CompressionType=MSZIP
+
+ ;** All files are compressed in cabinet files
+
+ .Set Cabinet=on
+
+ .Set Compress=on
+
+ ;-------------------------------------------------------------------
+
+ ;** CabinetNameTemplate = name of cab
+
+ ;** DiskDirectory1 = output directory where cab will be created
+
+ ;-------------------------------------------------------------------
+
+ .Set CabinetNameTemplate=tt.cab
+
+ .Set DiskDirectory1=.
+
+ ;-------------------------------------------------------------------
+
+ ; Replace **Version**(1 byte) **Leading**
(1 byte)**Order**(1 byte) **Total**(1 byte) **Chunk payload**(N bytes)
+[Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+[Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
##**Related topics**
-[Upgrade Analytics requirements](upgrade-analytics-requirements.md)
-
-[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
-
-[Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
+[Upgrade Analytics requirements](upgrade-analytics-requirements.md)
+[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
+[Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
diff --git a/windows/deploy/upgrade-analytics-deploy-windows.md b/windows/deploy/upgrade-analytics-deploy-windows.md
index 18ee3ac68d..57b8c26f7f 100644
--- a/windows/deploy/upgrade-analytics-deploy-windows.md
+++ b/windows/deploy/upgrade-analytics-deploy-windows.md
@@ -2,25 +2,96 @@
title: Upgrade Analytics - Get a list of computers that are upgrade-ready (Windows 10)
description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Analytics.
ms.prod: w10
-author: MaggiePucciEvans
+author: greg-lindsay
---
-# Upgrade Analytics - Get a list of computers that are upgrade ready
-
-All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready.
+# Upgrade Analytics - Step 3: Deploy Windows
+All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready.
The blades in the **Deploy** section are:
+- [Deploy eligible computers](#deploy-eligible-computers)
+- [Deploy computers by group](#computer-groups)
+
+>Computers that are listed in this step are assigned an **UpgradeDecision** value, and the total count of computers in each upgrade decision category is displayed. Additionally, computers are assigned an **UpgradeAssessment** value. This value is displayed by drilling down into a specific upgrade decision category. For information about upgrade assessment values, see [Upgrade assessment](#upgrade-assessment).
+
## Deploy eligible computers
-Computers grouped by deployment decision are listed.
+In this blade, computers grouped by upgrade decision are listed. The upgrade decision on the machines is a calculated value based on the upgrade decision status for the apps and drivers installed on the computer. This value cannot be modified directly. The upgrade decision is calculated in the following ways:
+- **Review in progress**: At least one app or driver installed on the computer is marked **Review in progress**.
+- **Ready to upgrade**: All apps and drivers installed on the computer are marked as **Ready to Upgrade**.
+- **Won’t upgrade**: At least one app or driver installed on the computer is marked as **Won’t upgrade**, or a system requirement is not met.
-
+
Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers.
>**Important**
When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
+
+## Computer groups
+
+Computer groups allow you to segment your environment by creating device groups based on OMS log search results, or by importing groups from Active Directory, WSUS or System Center Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/).
+
+Query based computer groups are recommended in the initial release of this feature. A feature known as **Configuration Manager Upgrade Analytics Connector** is anticipated in a future release that will enable synchronization of **ConfigMgr Collections** with computer groups in OMS.
+
+### Getting started with Computer Groups
+
+When you sign in to OMS, you will see a new blade entitled **Computer Groups**. See the following example:
+
+
+
+To create a computer group, open **Log Search** and create a query based on **Type=UAComputer**, for example:
+
+```
+Type=UAComputer Manufacturer=DELL
+```
+
+
+
+When you are satisfied that the query is returning the intended results, add the following text to your search:
+
+```
+| measure count() by Computer
+```
+
+This will ensure every computer only shows up once. Then, save your group by clicking **Save** and **Yes**. See the following example:
+
+
+
+Your new computer group will now be available in Upgrade Analytics. See the following example:
+
+
+
+### Using Computer Groups
+
+When you drill into a computer group, you will see that computers are categorized by **UpgradeDecision**. For computers with the status **Review in progress** or **Won’t upgrade** you can drill down to view issues that cause a computer to be in each category, or you can simply display a list of the computers in the category. For computers that are designated **Ready to upgrade**, you can go directly to the list of computers that are ready.
+
+
+
+Viewing a list of computers in a certain status is self-explanatory, Let’s look at what happens when you click the details link on **Review in progress**:
+
+
+
+Next, select if you want to see application issues (**UAApp**) or driver issues (**UADriver**). See the following example of selecting **UAApp**:
+
+
+
+A list of apps that require review so that Dell Computers are ready for upgrade to Windows 10 is displayed.
+
+### Upgrade assessment
+
+Upgrade assessment and guidance details are explained in the following table.
+
+| Upgrade assessment | Action required before or after upgrade pilot? | Issue | What it means | Guidance |
+|-----------------------|------------------------------------------------|----------|-----------------|---------------|
+| No known issues | No | None | Computers will upgrade seamlessly.
| OK to use as-is in pilot. |
+| OK to pilot, fixed during upgrade | No, for awareness only | Application or driver will not migrate to new OS | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot. |
+| OK to pilot with new driver from Windows Update | Yes | Driver will not migrate to new OS | The currently installed version of a driver won’t migrate to the new operating system; however, a newer, compatible version is available from Windows Update. | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update.
If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading.
|
+
+Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file.
+
+>**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
\ No newline at end of file
diff --git a/windows/deploy/upgrade-analytics-deployment-script.md b/windows/deploy/upgrade-analytics-deployment-script.md
new file mode 100644
index 0000000000..06bff0e12b
--- /dev/null
+++ b/windows/deploy/upgrade-analytics-deployment-script.md
@@ -0,0 +1,103 @@
+---
+title: Upgrade Analytics deployment script (Windows 10)
+description: Deployment script for Upgrade Analytics.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# Upgrade Analytics deployment script
+
+To automate the steps provided in [Get started with Upgrade Analytics](upgrade-analytics-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
+
+For detailed information about using the upgrade analytics deployment script, also see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
+
+> The following guidance applies to version 11.11.16 or later of the Upgrade Analytics deployment script. If you are using an older version, please download the latest from [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
+
+The Upgrade Analytics deployment script does the following:
+
+1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
+2. Verifies that user computers can send data to Microsoft.
+3. Checks whether the computer has a pending restart.
+4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
+5. If enabled, turns on verbose mode for troubleshooting.
+6. Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness.
+7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
+
+To run the Upgrade Analytics deployment script:
+
+1. Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
+
+2. Edit the following parameters in RunConfig.bat:
+
+ 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
+
+ 2. Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry.
+
+ 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
+
+ > *logMode = 0 log to console only*
+>
+ > *logMode = 1 log to file and console*
+>
+ > *logMode = 2 log to file only*
+
+3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
+
+ > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
+ >
+ > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
+ >
+ > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
+ >
+ > *IEOptInLevel = 3 Data collection is enabled for all sites*
+
+4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
+
+
+
+The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
+
+
+
+
+Exit code Meaning Suggested fix
+ 0 Success
+ 1 Unexpected error occurred while executing the script The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again.
+ 2 Error when logging to console. $logMode = 0. Try changing the $logMode value to **1** and try again.
+ 3 Error when logging to console and file. $logMode = 1. Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+ 4 Error when logging to file. $logMode = 2. Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+ 5 Error when logging to console and file. $logMode = unknown. Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+ 6 The commercialID parameter is set to unknown. Modify the script. Set the value for CommercialID in runconfig.bat file.
+ 8 Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection. Verify that the configuration script has access to this location.
+ 9 Error when writing CommercialId to registry. Verify that the configuration script has access to this location.
+ 10 Error when writing CommercialDataOptIn to registry. Verify that the configuration script has access to this location.
+ 11 Function -SetupCommercialId: Unexpected failure. Verify that the configuration script has access to this location.
+ 12 Can’t connect to Microsoft – Vortex. Check your network/proxy settings. Verify that the required endpoints are whitelisted correctly.
+ 13 Can’t connect to Microsoft – setting. Verify that the required endpoints are whitelisted correctly.
+ 14 Can’t connect to Microsoft – compatexchange. Verify that the required endpoints are whitelisted.
+ 15 Error connecting to Microsoft:Unexpected failure.
+ 16 Machine requires reboot. The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script.
+ 17 Function -CheckRebootRequired: Unexpected failure. The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script.
+ 18 Outdated compatibility update KB package. Update via Windows Update/WSUS.
+The configuration script detected a version of the Compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Analytics solution. Use the latest version of the Compatibility update for Windows 7 SP1/Windows 8.1.
+ 19 The compatibility update failed with unexpected exception. The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again.
+ 20 Error writing RequestAllAppraiserVersions registry key. This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location.
+ 21 Function – SetRequestAllAppraiserVersions: Unexpected failure. This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location.
+ 22 RunAppraiser failed with unexpected exception. Check %windir%\System32 directory for a file called CompatTelRunner.exe. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization group policy to make sure it does not remove this file.
+ 23 Error finding system variable %WINDIR%. Make sure that this environment variable is available on the machine.
+ 24 SetIEDataOptIn failed when writing IEDataOptIn to registry. Verify that the deployment script in running in a context that has access to the registry key.
+ 25 SetIEDataOptIn failed with unexpected exception. The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again.
+ 26 The operating system is Server or LTSB SKU. The script does not support Server or LTSB SKUs.
+ 27 The script is not running under System account. The Upgrade Analytics configuration script must be run as system.
+ 28 Could not create log file at the specified logPath. Make sure the deployment script has access to the location specified in the logPath parameter.
+ 29 Connectivity check failed for proxy authentication. Install the cumulative updates on the machine and enable the `DisableEnterpriseAuthProxy` authentication proxy setting. The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
+ 30 Connectivity check failed. Registry key property `DisableEnterpriseAuthProxy` is not enabled. The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
+ 31 There is more than one instance of the Upgrade Analytics data collector running at the same time on this machine. Use the Windows Task Manager to check if CompatTelRunner.exe is running, and wait until it has completed to rerun the script.
+**The Upgrade Analytics task is scheduled to run daily at 3 a.m.**
+
+ - [Upgrade Analytics requirements](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements): Provides detailed requirements to use Upgrade Analytics.
+ - [Upgrade Analytics blog](https://blogs.technet.microsoft.com/UpgradeAnalytics): Contains announcements of new features and provides helpful tips for using Upgrade Analytics.
+
+>If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Analytics with Configuration Manager: [Integrate Upgrade Analytics with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
+
+When you are ready to begin using Upgrade Analytics, perform the following steps:
+
+1. Review [data collection and privacy](#data-collection-and-privacy) information.
+2. [Add Upgrade Analytics to OMS](#add-upgrade-analytics-to-operations-management-suite).
+3. [Enable data sharing](#enable-data-sharing).
+4. [Deploy required updates](#deploy-the-compatibility-update-and-related-kbs) to computers, and validate using a pilot deployment.
+5. [Deploy Upgrade Analytics at scale](#deploy-upgrade-analytics-at-scale).
+
+## Data collection and privacy
To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see the following topics:
@@ -20,13 +36,6 @@ To enable system, application, and driver data to be shared with Microsoft, you
- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
-To configure Upgrade Analytics, you’ll need to:
-
-- Add the Upgrade Analytics solution to a workspace in the Operations Management Suite portal
-- Establish communications and enable data sharing between your organization and Microsoft
-
-Each task is explained in detail in the following sections.
-
## Add Upgrade Analytics to Operations Management Suite
Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
@@ -36,11 +45,8 @@ If you are already using OMS, you’ll find Upgrade Analytics in the Solutions G
If you are not using OMS:
1. Go to the [Upgrade Analytics page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process.
-
2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
-
3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
-
4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
> If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
@@ -49,11 +55,7 @@ If you are not using OMS:
2. Click the **Upgrade Analytics** tile to configure the solution. The **Settings Dashboard** opens.
-## Enable data sharing between your organization and Upgrade Analytics
-
-After you’ve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, complete the following tasks to establish communication and enable data sharing between user computers, Microsoft secure data centers, and Upgrade Analytics.
-
-## Generate your commercial ID key
+### Generate your commercial ID key
Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. Generate your commercial ID key in OMS and then deploy it to user computers.
@@ -65,7 +67,7 @@ Microsoft uses a unique commercial ID to map information from user computers to
>**Important**
Regenerate a commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, you’ll need to deploy the new commercial ID key to user computers again.
-## Subscribe to Upgrade Analytics
+### Subscribe to Upgrade Analytics
For Upgrade Analytics to receive and display upgrade readiness data from Microsoft, subscribe your OMS workspace to Upgrade Analytics.
@@ -73,15 +75,15 @@ For Upgrade Analytics to receive and display upgrade readiness data from Microso
1. Click **Overview** on the Settings Dashboard to return to your OMS workspace portal. The Upgrade Analytics tile now displays summary data. Click the tile to open Upgrade Analytics.
-## Whitelist select endpoints
+## Enable data sharing
To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
-Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688)to learn what you need to do to run it under the logged on user account.
+Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688) to learn what you need to do to run it under the logged on user account.
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
-| `https://v10.vortex-win.data.microsoft.com/collect/v1`
`https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. |
+| `https://v10.vortex-win.data.microsoft.com/collect/v1`
`https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. |
| `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. |
| `https://go.microsoft.com/fwlink/?LinkID=544713`
`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
@@ -92,8 +94,8 @@ The compatibility update KB scans your computers and enables application usage t
| **Operating System** | **KBs** |
|----------------------|-----------------------------------------------------------------------------|
-| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2976978 must be installed before you can download and install KB3150513. |
-| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2952664 must be installed before you can download and install KB3150513. |
+| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2976978 must be installed before you can download and install KB3150513. |
+| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2952664 must be installed before you can download and install KB3150513. |
IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.
@@ -103,111 +105,26 @@ If you are planning to enable IE Site Discovery, you will need to install a few
|----------------------|-----------------------------------------------------------------------------|
| [Review site discovery](upgrade-analytics-review-site-discovery.md) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)
Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices.
For more information about this KB, see
Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
+### Deploy the Upgrade Analytics deployment script
+You can use the Upgrade Analytics deployment script to automate and verify your deployment.
+
+See [Upgrade Analytics deployment script](upgrade-analytics-deployment-script.md) for information on obtaining and running the script, and for a description of the error codes that can be displayed.
+
+>After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Analytics. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Analytics. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers.
+
+## Deploy Upgrade Analytics at scale
+
+When you have completed a pilot deployment, you are ready to automate data collection and distribute the deployment script to the remaining computers in your organization.
### Automate data collection
To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
-- Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing.
-- Schedule the Upgrade Analytics deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. Computers are re-scanned only when the compatibility KBs are updated, so if your inventory changes significantly between KB releases you won’t see the changes in Upgrade Analytics until you run the script again.
-- Schedule monthly user computer scans to view monthly active computer and usage information.
+- Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing.
+- Schedule the Upgrade Analytics deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. Computers are re-scanned only when the compatibility KBs are updated, so if your inventory changes significantly between KB releases you won’t see the changes in Upgrade Analytics until you run the script again.
+- Schedule monthly user computer scans to view monthly active computer and usage information.
-## Run the Upgrade Analytics deployment script
+### Distribute the deployment script at scale
-To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
-
-> The following guidance applies to version 11.11.16 or later of the Upgrade Analytics deployment script. If you are using an older version, please download the latest from [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
-
-The Upgrade Analytics deployment script does the following:
-
-1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
-
-2. Verifies that user computers can send data to Microsoft.
-
-3. Checks whether the computer has a pending restart.
-
-4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
-
-5. If enabled, turns on verbose mode for troubleshooting.
-
-6. Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness.
-
-7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
-
-To run the Upgrade Analytics deployment script:
-
-1. Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
-
-2. Edit the following parameters in RunConfig.bat:
-
- 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
-
- 2. Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry.
-
- 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
-
- > *logMode = 0 log to console only*
->
- > *logMode = 1 log to file and console*
->
- > *logMode = 2 log to file only*
-
-3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
-
- > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
- >
- > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
- >
- > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
- >
- > *IEOptInLevel = 3 Data collection is enabled for all sites*
-
-4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
-
-The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
-
-
-
-
-Exit code Meaning Suggest fix
- 0 Success
- 1 Unexpected error occurred while executing the script The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again.
- 2 Error when logging to console. $logMode = 0. Try changing the $logMode value to **1** and try again.
- 3 Error when logging to console and file. $logMode = 1. Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
- 4 Error when logging to file. $logMode = 2. Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
- 5 Error when logging to console and file. $logMode = unknown. Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
- 6 The commercialID parameter is set to unknown. Modify the script. Set the value for CommercialID in runconfig.bat file.
- 8 Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection. Verify that the configuration script has access to this location.
- 9 Error when writing CommercialId to registry. Verify that the configuration script has access to this location.
- 10 Error when writing CommercialDataOptIn to registry. Verify that the configuration script has access to this location.
- 11 Function -SetupCommercialId: Unexpected failure. Verify that the configuration script has access to this location.
- 12 Can’t connect to Microsoft – Vortex. Check your network/proxy settings. Verify that the required endpoints are whitelisted correctly.
- 13 Can’t connect to Microsoft – setting. Verify that the required endpoints are whitelisted correctly.
- 14 Can’t connect to Microsoft – compatexchange. Verify that the required endpoints are whitelisted.
- 15 Error connecting to Microsoft:Unexpected failure.
- 16 Machine requires reboot. The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script.
- 17 Function -CheckRebootRequired: Unexpected failure. he reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script.
- 18 Outdated compatibility update KB package. Update via Windows Update/WSUS.
-The configuration script detected a version of the Compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Analytics solution. Use the latest version of the Compatibility update for Windows 7 SP1/Windows 8.1.
- 19 The compatibility update failed with unexpected exception. The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again.
- 20 Error writing RequestAllAppraiserVersions registry key. This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location.
- 21 Function – SetRequestAllAppraiserVersions: Unexpected failure. This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location.
- 22 RunAppraiser failed with unexpected exception. Check %windr%\System32 directory for a file called CompatTelRunner.exe. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization group policy to make sure it does not remove this file.
- 23 Error finding system variable %WINDIR%. Make sure that this environment variable is available on the machine.
- 24 SetIEDataOptIn failed when writing IEDataOptIn to registry. Verify that the deployment script in running in a context that has access to the registry key.
- 25 SetIEDataOptIn failed with unexpected exception. The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again.
- 26 The operating system is Server or LTSB SKU. The script does not support Server or LTSB SKUs.
- 27 The script is not running under System account. The Upgrade Analytics configuration script must be run as system.
- 28 Could not create log file at the specified logPath. Make sure the deployment script has access to the location specified in the logPath parameter.
- 29 Connectivity check failed for proxy authentication. Install the cumulative updates on the machine and enable the `DisableEnterpriseAuthProxy` authentication proxy setting. The `DisableEnterpriseAuthProxy` is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
- 30 Connectivity check failed. Registry key property `DisableEnterpriseAuthProxy` is not enabled. The `DisableEnterpriseAuthProxy` is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` to **0** (not disabled).For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
- 30 There is more than one instance of the Upgrade Analytics data collector running at the same time on this machine. Use the Windows Task Manager to check if CompatTelRunner.exe is running, and wait until it has completed to rerun the script.
-**The Upgrade Analytics task is scheduled to run daily at 3 a.m.**
-
Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.
| Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. For example, payroll apps or tax accounting apps tend to be installed on a relatively small number of machines but are still considered business critical applications.
|
+| Not reviewed | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you set their importance level.
| Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. |
+| Business critical | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**.
| You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
+| Important | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**. | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
+| Ignore | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**.
| Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing. If you set the importance level to ignore, and this is an app that you are not planning on testing or validating, consider changing the upgrade decision to **Ready to upgrade**. By marking these apps ready to upgrade, you are indicating that you are comfortable upgrading with the app remaining in its current state.
|
+| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.
| As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.
Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**.
|
+
diff --git a/windows/deploy/upgrade-analytics-prepare-your-environment.md b/windows/deploy/upgrade-analytics-prepare-your-environment.md
index a73829de5b..78eeaa078b 100644
--- a/windows/deploy/upgrade-analytics-prepare-your-environment.md
+++ b/windows/deploy/upgrade-analytics-prepare-your-environment.md
@@ -1,116 +1,4 @@
---
-title: Upgrade Analytics - Prepare your environment (Windows 10)
-description: Describes how to prepare your environment so that you can use Upgrade Analytics to manage Windows upgrades.
-ms.prod: w10
-author: MaggiePucciEvans
----
-
-# Upgrade Analytics - Prepare your environment
-
-This section of the Upgrade Analytics workflow reports your computer and application inventory and lists computers that you can use in a pilot with no known issues or with fixable driver issues. Additionally, you can determine the priority level of applications to indicate which applications the team should focus on to get them upgrade ready.
-
-The blades in the **Prepare your environment** section are:
-
-## Upgrade overview
-
-Displays the total count of computers sharing data with Microsoft and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases.
-
-Check this blade for data refresh status, including the date and time of the most recent data update and whether user changes are reflected. If a user change is pending when changing the upgrade assessment or importance level of an application or driver, **Data refresh pending** is displayed in orange. User changes are processed once every 24 hours and read **Up to date** in green when there are no pending changes.
-
-
-
-
-
-Select **Total computers** for a list of computers and details about them, including:
-
-- Computer ID and computer name
-
-- Computer manufacturer
-
-- Computer model
-
-- Operating system version and build
-
-- Count of system requirement, application, and driver issues per computer
-
-- Upgrade assessment based on analysis of computer telemetry data
-
-- Upgrade decision status
-
-Select **Total applications** for a list of applications discovered on user computers and details about them, including:
-
-- Application vendor
-
-- Application version
-
-- Count of computers the application is installed on
-
-- Count of computers that opened the application at least once in the past 30 days
-
-- Percentage of computers in your total computer inventory that opened the application in the past 30 days
-
-- Issues detected, if any
-
-- Upgrade assessment based on analysis of application data
-
-- Roll up level
-
-## Run a pilot
-
-Computers with no known issues and computers with fixable driver issues are listed, grouped by upgrade assessment. We recommend that you use these computers to test the impact of upgrading.
-
-
-
-
-
-Before you start your pilot project, be sure to review upgrade assessment and guidance details, explained in more detail in the table below.
-
-| Upgrade assessment | Action required before or after upgrade pilot? | Issue | What it means | Guidance |
-|-----------------------|------------------------------------------------|----------|-----------------|---------------|
-| No known issues | No | None | Computers will upgrade seamlessly.
| OK to use as-is in pilot. |
-| OK to pilot, fixed during upgrade | No, for awareness only | Application or driver will not migrate to new OS | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot. |
-| OK to pilot with new driver from Windows Update | Yes | Driver will not migrate to new OS | The currently installed version of a driver won’t migrate to the new operating system; however, a newer, compatible version is available from Windows Update. | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update.
If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading.
|
-
-Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file.
-
->**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
-
-See [Plan for Windows 10 deployment](http://technet.microsoft.com/itpro/windows/plan/index) for more information about ways to deploy Windows in your organization. Read about [how Microsoft IT deployed Windows as an in-place upgrade](https://www.microsoft.com/itshowcase/Article/Content/668/Deploying-Windows-10-at-Microsoft-as-an-inplace-upgrade) for best practices using the in-place upgrade method.
-
-## Prioritize applications
-
-Applications are listed, grouped by importance level. Prioritizing your applications allows you to identify the ones that you will focus on preparing for upgrade.
-
-
-
-
-
-Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them.
-
-To change an application’s importance level:
-
-1. Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level. Select **Table** to view the list in a table.
-
-2. Select **User changes** to enable user input.
-
-3. Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list.
-
-4. Click **Save** when finished.
-
-Importance levels include:
-
-| Importance level | When to use it | Recommendation |
-|--------------------|------------------|------------------|
-| Low install count | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]
Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.
| Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
|
-| Not reviewed | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you change the importance level.
These applications are also marked as **Not reviewed** in the **UpgradeDecision** column.
| Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. |
-| Business critical | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**.
| You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
-| Important | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**. | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
-| Ignore | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**.
| Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing.
You may also want to change the application’s status to **Not reviewed** or **Ready to upgrade** in the **UpgradeDecision** column.
|
-| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.
| As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.
Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**.
|
-
+title: Upgrade Analytics - Identify important apps (Windows 10)
+redirect_url: upgrade-analytics-identify-apps
+---
\ No newline at end of file
diff --git a/windows/deploy/upgrade-analytics-requirements.md b/windows/deploy/upgrade-analytics-requirements.md
index 0dd920f998..3875acc090 100644
--- a/windows/deploy/upgrade-analytics-requirements.md
+++ b/windows/deploy/upgrade-analytics-requirements.md
@@ -2,7 +2,7 @@
title: Upgrade Analytics requirements (Windows 10)
description: Provides requirements for Upgrade Analytics.
ms.prod: w10
-author: MaggiePucciEvans
+author: greg-lindsay
---
# Upgrade Analytics requirements
@@ -33,6 +33,10 @@ If you are not using OMS, go to [the Upgrade Analytics page on Microsoft.com](ht
Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+## System Center Configuration Manager integration
+
+Upgrade Analytics can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Analytics with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
+
## Telemetry and data sharing
After you’ve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Analytics.
@@ -41,19 +45,13 @@ See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields
**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, you’ll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
-`https://v10.vortex-win.data.microsoft.com/collect/v1`
-
-`https://vortex-win.data.microsoft.com/health/keepalive`
-
-`https://settings-win.data.microsoft.com/settings`
-
-`https://vortex.data.microsoft.com/health/keepalive`
-
-`https://settings.data.microsoft.com/qos`
-
-`https://go.microsoft.com/fwlink/?LinkID=544713`
-
-`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended`
+`https://v10.vortex-win.data.microsoft.com/collect/v1`
+`https://vortex-win.data.microsoft.com/health/keepalive`
+`https://settings-win.data.microsoft.com/settings`
+`https://vortex.data.microsoft.com/health/keepalive`
+`https://settings.data.microsoft.com/qos`
+`https://go.microsoft.com/fwlink/?LinkID=544713`
+`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended`
>**Note** The compatibility update KB runs under the computer’s system account and does not support user authentication in this release.
diff --git a/windows/deploy/upgrade-analytics-resolve-issues.md b/windows/deploy/upgrade-analytics-resolve-issues.md
index 6a61a18a33..ec6f782f9e 100644
--- a/windows/deploy/upgrade-analytics-resolve-issues.md
+++ b/windows/deploy/upgrade-analytics-resolve-issues.md
@@ -2,10 +2,10 @@
title: Upgrade Analytics - Resolve application and driver issues (Windows 10)
description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Analytics.
ms.prod: w10
-author: MaggiePucciEvans
+author: greg-lindsay
---
-# Upgrade Analytics - Resolve application and driver issues
+# Upgrade Analytics - Step 2: Resolve app and driver issues
This section of the Upgrade Analytics workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them.
@@ -15,10 +15,10 @@ Upgrade decisions include:
| Upgrade decision | When to use it | Guidance |
|--------------------|-------------------|-------------|
-| Not reviewed | When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress.**
| Some applications are automatically assigned upgrade decisions based on information known to Microsoft.
All drivers are marked not reviewed by default.
|
-| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.
Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.
| Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
-| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues or with low installation rates are marked **Ready to upgrade** by default.
Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
All drivers are marked **Not reviewed** by default.
|
-| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.
Use **Won’t upgrade** for applications and drivers you don’t want to upgrade.
| If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.
|
+| Not reviewed | All drivers are marked as Not reviewed by default.
Any app that has not been marked **Low install count** will also have an upgrade decision of **Not reviewed** by default.
| Apps you have not yet reviewed or are waiting to review later should be marked as **Not reviewed**. When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.
|
+| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.
Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.
| Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
+| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.
In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
|
+| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.
Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade.
| If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.
|
The blades in the **Resolve issues** section are:
@@ -26,7 +26,7 @@ The blades in the **Resolve issues** section are:
- Review applications with no known issues
- Review drivers with known issues
-As you review applications with known issues, you can also see ISV support of applications for [Ready for Windows](https://www.readyforwindows.com/).
+As you review applications with known issues, you can also see ISV support statements or applications using [Ready for Windows](https://www.readyforwindows.com/).
## Review applications with known issues
@@ -41,13 +41,9 @@ Applications with issues known to Microsoft are listed, grouped by upgrade asses
To change an application's upgrade decision:
1. Select **Decide upgrade readiness** to view applications with issues.
-
-2. In the table view, sort on **UpgradeAssessment** to group applications into **Attention needed** and **Fix available**.
-
-3. Select **User changes** to change the upgrade decision for each application.
-
+2. In the table view, select an **UpgradeDecision** value.
+3. Select **Decide upgrade readiness** to change the upgrade decision for each application.
4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
-
5. Click **Save** when finished.
IMORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information.
diff --git a/windows/deploy/upgrade-analytics-review-site-discovery.md b/windows/deploy/upgrade-analytics-review-site-discovery.md
index 5f0e5067ad..e42b53e9d0 100644
--- a/windows/deploy/upgrade-analytics-review-site-discovery.md
+++ b/windows/deploy/upgrade-analytics-review-site-discovery.md
@@ -1,68 +1,7 @@
---
title: Review site discovery
-description: Explains how to review internet web site discovery with Upgrade Analytics.
-ms.prod: w10
-author: Justinha
+redirect_url: upgrade-analytics-additional-insights
---
-# Review site discovery
-
-This section of the Upgrade Analytics workflow provides an inventory of web sites that are being used by client computers that run Internet Explorer on Windows 8.1 and Windows 7 in your environment. This inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. Data from Microsoft Edge is not collected.
-
-> Note: Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
-
-## Install prerequisite security update for Internet Explorer
-
-Ensure the following prerequisites are met before using site discovery:
-
-1. Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update.
-2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
-3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Analytics deployment script](upgrade-analytics-get-started.md#run-the-upgrade-analytics-deployment-script) to allow Internet Explorer data collection before you run it.
-
- If necessary, you can also enable it by creating the following registry entry.
-
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
-
- Entry name: IEDataOptIn
-
- Data type: DWORD
-
- Values:
-
- > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
- >
- > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
- >
- > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
- >
- > *IEOptInLevel = 3 Data collection is enabled for all sites*
-
- For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://msdn.microsoft.com/library/ms537183.aspx).
-
- 
-
-## Review most active sites
-
-This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page.
-
-For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL.
-
-
-
-Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name.
-
-
-
-## Review document modes in use
-
-This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes).
-
-
-
-## Run browser-related queries
-
-You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries.
-
-
diff --git a/windows/deploy/upgrade-analytics-upgrade-overview.md b/windows/deploy/upgrade-analytics-upgrade-overview.md
new file mode 100644
index 0000000000..4d1885b34a
--- /dev/null
+++ b/windows/deploy/upgrade-analytics-upgrade-overview.md
@@ -0,0 +1,51 @@
+---
+title: Upgrade Analytics - Upgrade Overview (Windows 10)
+description: Displays the total count of computers sharing data and upgraded.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Analytics - Upgrade overview
+
+The first blade in the Upgrade Analytics solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases.
+
+The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The following status changes are reflected on the upgrade overview blade:
+
+- Computers with incomplete data:
+ - Less than 4% = count is displayed in green.
+ - 4% - 10% = Count is displayed in amber.
+ - Greater than 10% = Count is displayed in red.
+- Delay processing device inventory data = The "Last updated" banner is displayed in amber.
+- Pending user changes = User changes count displays "Data refresh pending" in amber.
+- No pending user changes = User changes count displays "Up to date" in green.
+
+In the following example, less than 4% of (3k\355k) computers have incomplete data, and there are no pending user changes:
+
+
+
+
+
+If data processing is delayed, you can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed. Data is typically refreshed and the display will return to normal again within 24 hours.
+
+Select **Total computers** for a list of computers and details about them, including:
+
+- Computer ID and computer name
+- Computer manufacturer
+- Computer model
+- Operating system version and build
+- Count of system requirement, application, and driver issues per computer
+- Upgrade assessment based on analysis of computer telemetry data
+- Upgrade decision status
+
+Select **Total applications** for a list of applications discovered on user computers and details about them, including:
+
+- Application vendor
+- Application version
+- Count of computers the application is installed on
+- Count of computers that opened the application at least once in the past 30 days
+- Percentage of computers in your total computer inventory that opened the application in the past 30 days
+- Issues detected, if any
+- Upgrade assessment based on analysis of application data
+- Rollup level
\ No newline at end of file
diff --git a/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md b/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
index 4045eb3913..3b686e8dae 100644
--- a/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
+++ b/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
@@ -2,27 +2,51 @@
title: Use Upgrade Analytics to manage Windows upgrades (Windows 10)
description: Describes how to use Upgrade Analytics to manage Windows upgrades.
ms.prod: w10
-author: MaggiePucciEvans
+author: greg-lindsay
---
# Use Upgrade Analytics to manage Windows upgrades
-This topic explains how to use the Upgrade Analytics solution to plan, manage, and deploy Windows upgrades.
+You can use Upgrade Analytics to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Analytics enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues.
-Based on telemetry data from user computers, Upgrade Analytics identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
+- Based on telemetry data from user computers, Upgrade Analytics identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
+- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
-You and your IT team can use the Upgrade Analytics workflow to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. You can then export the list of upgrade-ready computers and start deploying Windows with confidence, knowing that you’ve addressed potential blocking issues.
+When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks.
-Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
+
-The Upgrade Analytics workflow gives you compatibility and usage information about computers, applications, and drivers and walks you through these high-level tasks. Each task is described in more detail in the topics that follow.
+Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step.
-1. [Preparing your environment](upgrade-analytics-prepare-your-environment.md)
+>**Important**: You can use the [Target OS](#target-os) setting to evaluate computers that are runnign a specified version of Windows before starting the Upgrade Analytics workflow. By default, the Target OS is configured to the released version of Windows 10 for the Current Branch for Business (CBB).
-2. [Resolving application and driver issues](upgrade-analytics-resolve-issues.md)
+The following information and workflow is provided:
-3. [Identifying computers that are upgrade ready](upgrade-analytics-deploy-windows.md)
+- [Upgrade overview](upgrade-analytics-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers.
+- [Step 1: Identify important apps](upgrade-analytics-identify-apps.md): Assign importance levels to prioritize your applications.
+- [Step 2: Resolve issues](upgrade-analytics-resolve-issues.md): Identify and resolve problems with applications.
+- [Step 3: Deploy](upgrade-analytics-deploy-windows.md): Start the upgrade process.
-4. [Review site discovery](upgrade-analytics-review-site-discovery.md)
+Also see the following topic for information about additional items that can be affected by the upgrade process:
+- [Additional insights](upgrade-analytics-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity.
+## Target OS
+
+The target OS setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version.
+
+As mentioned previously, the default target OS in Upgrade Analytics is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target OS setting is used to evaluate the number of computers that are already running this version of Windows, or a later version.
+
+The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target OS. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Analytics is based on the target OS version.
+
+You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1610.
+
+To change the target OS setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Analytics solution:
+
+
+
+>You must be signed in to Upgrade Analytics as an administrator to view settings.
+
+On the **Upgrade Analytics Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target OS setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
+
+
diff --git a/windows/deploy/usmt-overview.md b/windows/deploy/usmt-overview.md
index 9f6a18384a..9dca476f1c 100644
--- a/windows/deploy/usmt-overview.md
+++ b/windows/deploy/usmt-overview.md
@@ -35,7 +35,7 @@ USMT provides the following benefits to businesses that are deploying Windows op
- Increases employee satisfaction with the migration experience.
## Limitations
-USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [Windows Easy Transfer](https://go.microsoft.com/fwlink/p/?LinkId=140248).
+USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](http://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink.
There are some scenarios in which the use of USMT is not recommended. These include:
diff --git a/windows/deploy/usmt-requirements.md b/windows/deploy/usmt-requirements.md
index c8632b0b4a..525f3c872b 100644
--- a/windows/deploy/usmt-requirements.md
+++ b/windows/deploy/usmt-requirements.md
@@ -15,11 +15,11 @@ author: greg-lindsay
- [Supported Operating Systems](#bkmk-1)
-
-- [Software Requirements](#bkmk-2)
-
+- [Windows PE](#windows-pe)
+- [Credentials](#credentials)
+- [Config.xml](#config-xml)
+- [LoadState](#loadstate)
- [Hard Disk Requirements](#bkmk-3)
-
- [User Prerequisites](#bkmk-userprereqs)
## Supported Operating Systems
@@ -44,16 +44,6 @@ The following table lists the operating systems supported in USMT.
-
-
-
-
-
-
+You must run USMT using an account with full administrative permissions, including the following privileges:
- 4. Right-click **Command Prompt**.
+- SeBackupPrivilege (Back up files and directories)
+- SeDebugPrivilege (Debug programs)
+- SeRestorePrivilege (Restore files and directories)
+- SeSecurityPrivilege (Manage auditing and security log)
+- SeTakeOwnership Privilege (Take ownership of files or other objects)
- 5. Click **Run as administrator**.
- 6. At the command prompt, type the `ScanState` or `LoadState` command.
+## Config.xml
- **Important**
- You must run USMT in Administrator mode from an account with full administrative permissions, including the following privileges:
+- **Specify the /c option and <ErrorControl> settings in the Config.xml file.**
+ USMT will fail if it cannot migrate a file or setting, unless you specify the **/c** option. When you specify the **/c** option, USMT logs an error each time it encounters a file that is in use that did not migrate, but the migration will not be interrupted. In USMT, you can specify in the Config.xml file which types of errors should allow the migration to continue, and which should cause the migration to fail. For more information about error reporting, and the **<ErrorControl>** element, see [Config.xml File](usmt-configxml-file.md), [Log Files](usmt-log-files.md), and [XML Elements Library](usmt-xml-elements-library.md).
- - SeBackupPrivilege (Back up files and directories)
+## LoadState
- - SeDebugPrivilege (Debug programs)
-
- - SeRestorePrivilege (Restore files and directories)
-
- - SeSecurityPrivilege (Manage auditing and security log)
-
- - SeTakeOwnership Privilege (Take ownership of files or other objects)
-
-
-
-- **Specify the /c option and <ErrorControl> settings in the Config.xml file.** USMT will fail if it cannot migrate a file or setting, unless you specify the **/c** option. When you specify the **/c** option, USMT logs an error each time it encounters a file that is in use that did not migrate, but the migration will not be interrupted. In USMT, you can specify in the Config.xml file which types of errors should allow the migration to continue, and which should cause the migration to fail. For more information about error reporting, and the **<ErrorControl>** element, see [Config.xml File](usmt-configxml-file.md), [Log Files](usmt-log-files.md), and [XML Elements Library](usmt-xml-elements-library.md).
-
-- **Install applications before running the LoadState command.** Install all applications on the destination computer before restoring the user state. This ensures that migrated settings are preserved.
+- **Install applications before running the LoadState command.**
+ Install all applications on the destination computer before restoring the user state. This ensures that migrated settings are preserved.
## Hard-Disk Requirements
@@ -146,21 +133,16 @@ Ensure that there is enough available space in the migration-store location and
This documentation assumes that IT professionals using USMT understand command-line tools. The documentation also assumes that IT professionals using USMT to author MigXML rules understand the following:
- The navigation and hierarchy of the Windows registry.
-
- The files and file types that applications use.
-
- The methods to extract application and setting information manually from applications created by internal software-development groups and non-Microsoft software vendors.
-
- XML-authoring basics.
## Related topics
-[Plan Your Migration](usmt-plan-your-migration.md)
-
-[Estimate Migration Store Size](usmt-estimate-migration-store-size.md)
-
-[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+[Plan Your Migration](usmt-plan-your-migration.md)
+[Estimate Migration Store Size](usmt-estimate-migration-store-size.md)
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
diff --git a/windows/deploy/windows-10-poc-mdt.md b/windows/deploy/windows-10-poc-mdt.md
new file mode 100644
index 0000000000..54eb632a5f
--- /dev/null
+++ b/windows/deploy/windows-10-poc-mdt.md
@@ -0,0 +1,646 @@
+---
+title: Step by step - Deploy Windows 10 in a test lab using MDT
+description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT)
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+
+# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
+
+**Applies to**
+
+- Windows 10
+
+**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide:
+- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
+
+Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
+- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+
+The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
+- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
+- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
+- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network.
+
+>This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
+
+## In this guide
+
+This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image.
+
+Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
+
+
+
+
+Topic Description Time
+
+ [About MDT](#about-mdt) A high-level overview of the Microsoft Deployment Toolkit (MDT). Informational
+ [Install MDT](#install-mdt) Download and install MDT. 40 minutes
+ [Create a deployment share and reference image](#create-a-deployment-share-and-reference-image) A reference image is created to serve as the template for deploying new images. 90 minutes
+ [Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt) The reference image is deployed in the PoC environment. 60 minutes
+ [Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10) Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. 60 minutes
+ [Replace a computer with Windows 10](#replace-a-computer-with-windows-10) Back up an existing client computer, then restore this backup to a new computer. 60 minutes
+ [Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities) Log locations and troubleshooting hints. Informational
+
+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT build lab**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish**
+
+
+7. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
+
+8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**.
+
+9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
+
+10. Use the following settings for the Import Operating System Wizard:
+ - OS Type: **Full set of source files**
+ - Source: **D:\\**
+ - Destination: **W10Ent_x64**
+ - Summary: click **Next**
+ - Progress: wait for files to be copied
+ - Confirmation: click **Finish**
+
+ >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/en-us/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic in the TechNet library.
+
+11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+ - Task sequence ID: **REFW10X64-001**
+ - Task sequence name: **Windows 10 Enterprise x64 Default Image**
+ - Task sequence comments: **Reference Build**
+ - Template: **Standard Client Task Sequence**
+ - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
+ - Specify Product Key: **Do not specify a product key at this time**
+ - Full Name: **Contoso**
+ - Organization: **Contoso**
+ - Internet Explorer home page: **http://www.contoso.com**
+ - Admin Password: **Do not specify an Administrator password at this time**
+ - Summary: click **Next**
+ - Confirmation: click **Finish**
+
+
+12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
+
+13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**.
+
+14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change.
+
+15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**.
+
+16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**.
+
+17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
+
+ >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
+
+18. Click **OK** to complete editing the task sequence.
+
+19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab.
+
+20. Replace the default rules with the following text:
+
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ _SMSTSORGNAME=Contoso
+ UserDataLocation=NONE
+ DoCapture=YES
+ OSInstall=Y
+ AdminPassword=pass@word1
+ TimeZoneName=Pacific Standard Time
+ OSDComputername=#Left("PC-%SerialNumber%",7)#
+ JoinWorkgroup=WORKGROUP
+ HideShell=YES
+ FinishAction=SHUTDOWN
+ DoNotCreateExtraPartition=YES
+ ApplyGPOPack=NO
+ SkipAdminPassword=YES
+ SkipProductKey=YES
+ SkipComputerName=YES
+ SkipDomainMembership=YES
+ SkipUserData=YES
+ SkipLocaleSelection=YES
+ SkipTaskSequence=NO
+ SkipTimeZone=YES
+ SkipApplications=YES
+ SkipBitLocker=YES
+ SkipSummary=YES
+ SkipRoles=YES
+ SkipCapture=NO
+ SkipFinalSummary=NO
+ ```
+
+21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
+
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ DeployRoot=\\SRV1\MDTBuildLab$
+ UserDomain=CONTOSO
+ UserID=MDT_BA
+ UserPassword=pass@word1
+ SkipBDDWelcome=YES
+ ```
+
+22. Click **OK** to complete the configuration of the deployment share.
+
+23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**.
+
+24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, click **Finish**.
+
+25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
+
+ >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
+
+26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
+
+
+
+ New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
+ Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
+ Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
+ Start-VM REFW10X64-001
+ vmconnect localhost REFW10X64-001
+
+
+
+ This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**.
+
+## Deploy a Windows 10 image using MDT
+
+This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT.
+
+1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard:
+ - **Deployment share path**: C:\MDTProd
+ - **Share name**: MDTProd$
+ - **Deployment share description**: MDT Production
+ - **Options**: accept the default
+
+
+2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**.
+
+3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values.
+
+4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
+
+5. On the **OS Type** page, choose **Custom image file** and then click **Next**.
+
+6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**.
+
+7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**.
+
+8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**.
+
+9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**.
+
+10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example:
+
+ 
+
+
+### Create the deployment task sequence
+
+1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**.
+
+2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+ - Task sequence ID: W10-X64-001
+ - Task sequence name: Windows 10 Enterprise x64 Custom Image
+ - Task sequence comments: Production Image
+ - Select Template: Standard Client Task Sequence
+ - Select OS: Windows 10 Enterprise x64 Custom Image
+ - Specify Product Key: Do not specify a product key at this time
+ - Full Name: Contoso
+ - Organization: Contoso
+ - Internet Explorer home page: http://www.contoso.com
+ - Admin Password: pass@word1
+
+### Configure the MDT production deployment share
+
+1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
+
+ ```
+ copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
+ copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
+ ```
+2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**.
+
+3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet):
+
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ _SMSTSORGNAME=Contoso
+ OSInstall=YES
+ UserDataLocation=AUTO
+ TimeZoneName=Pacific Standard Time
+ OSDComputername=#Left("PC-%SerialNumber%",7)#
+ AdminPassword=pass@word1
+ JoinDomain=contoso.com
+ DomainAdmin=administrator
+ DomainAdminDomain=CONTOSO
+ DomainAdminPassword=pass@word1
+ ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+ USMTMigFiles001=MigApp.xml
+ USMTMigFiles002=MigUser.xml
+ HideShell=YES
+ ApplyGPOPack=NO
+ SkipAppsOnUpgrade=NO
+ SkipAdminPassword=YES
+ SkipProductKey=YES
+ SkipComputerName=YES
+ SkipDomainMembership=YES
+ SkipUserData=YES
+ SkipLocaleSelection=YES
+ SkipTaskSequence=NO
+ SkipTimeZone=YES
+ SkipApplications=NO
+ SkipBitLocker=YES
+ SkipSummary=YES
+ SkipCapture=YES
+ SkipFinalSummary=NO
+ EventService=http://SRV1:9800
+ ```
+ **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini.
+
+ >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified.
+
+ If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui):
+
+ ```
+ ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+ ```
+
+ For example, to migrate **all** users on the computer, replace this line with the following:
+
+ ```
+ ScanStateArgs=/all
+ ```
+
+ For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx).
+
+4. Click **Edit Bootstap.ini** and replace text in the file with the following text:
+
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ DeployRoot=\\SRV1\MDTProd$
+ UserDomain=CONTOSO
+ UserID=MDT_BA
+ UserPassword=pass@word1
+ SkipBDDWelcome=YES
+ ```
+5. Click **OK** when finished.
+
+### Update the deployment share
+
+1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**.
+
+2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete.
+
+3. Click **Finish** when the update is complete.
+
+### Enable deployment monitoring
+
+1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**.
+
+2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
+
+3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/).
+
+4. Close Internet Explorer.
+
+### Configure Windows Deployment Services
+
+1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
+ WDSUTIL /Set-Server /AnswerClients:All
+ ```
+
+2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**.
+
+3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**.
+
+4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image.
+
+### Deploy the client image
+
+1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway.
+
+ >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress**
+
+ Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command:
+
+ ```
+ Disable-NetAdapter "Ethernet 2" -Confirm:$false
+ ```
+
+ >Wait until the disable-netadapter command completes before proceeding.
+
+
+2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt:
+
+ ```
+ New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
+ Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20
+ ```
+
+ >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle.
+
+3. Start the new VM and connect to it:
+
+ ```
+ Start-VM PC2
+ vmconnect localhost PC2
+ ```
+4. When prompted, hit ENTER to start the network boot process.
+
+5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
+
+6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command:
+
+ ```
+ Enable-NetAdapter "Ethernet 2"
+ ```
+7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed.
+8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator.
+
+ 
+
+
+This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section.
+
+## Refresh a computer with Windows 10
+
+This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md).
+
+1. If the PC1 VM is not already running, then start and connect to it:
+
+ ```
+ Start-VM PC1
+ vmconnect localhost PC1
+ ```
+
+2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Checkpoint-VM -Name PC1 -SnapshotName BeginState
+ ```
+
+3. Sign on to PC1 using the CONTOSO\Administrator account.
+
+ >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
+
+4. Open an elevated command prompt on PC1 and type the following:
+
+ ```
+ cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
+ ```
+
+ **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer.
+
+5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
+
+6. Choose **Do not back up the existing computer** and click **Next**.
+
+ **Note**: The USMT will still back up the computer.
+
+7. Lite Touch Installation will perform the following actions:
+ - Back up user settings and data using USMT.
+ - Install the Windows 10 Enterprise X64 operating system.
+ - Update the operating system via Windows Update.
+ - Restore user settings and data using USMT.
+
+ You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings.
+
+8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
+
+9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Checkpoint-VM -Name PC1 -SnapshotName RefreshState
+ ```
+
+10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
+ Start-VM PC1
+ vmconnect localhost PC1
+ ```
+
+11. Sign in to PC1 using the contoso\administrator account.
+
+## Replace a computer with Windows 10
+
+At a high level, the computer replace process consists of:
+- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.
+- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored.
+
+### Create a backup-only task sequence
+
+1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**.
+2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share.
+3. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ New-Item -Path C:\MigData -ItemType directory
+ New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE
+ icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)'
+ ```
+4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**.
+5. Name the new folder **Other**, and complete the wizard using default options.
+6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard:
+ - **Task sequence ID**: REPLACE-001
+ - **Task sequence name**: Backup Only Task Sequence
+ - **Task sequence comments**: Run USMT to back up user data and settings
+ - **Template**: Standard Client Replace Task Sequence (note: this is not the default template)
+7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings.
+8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence.
+
+### Run the backup-only task sequence
+
+1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt:
+
+ ```
+ whoami
+ ```
+2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1:
+
+ ```
+ Remove-Item c:\minint -recurse
+ Remove-Item c:\_SMSTaskSequence -recurse
+ Restart-Computer
+ ```
+2. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt:
+
+ ```
+ cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
+ ```
+3. Complete the deployment wizard using the following:
+ - **Task Sequence**: Backup Only Task Sequence
+ - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1**
+ - **Computer Backup**: Do not back up the existing computer.
+4. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.
+5. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete.
+6. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
+
+ ```
+ PS C:\> dir C:\MigData\PC1\USMT
+
+ Directory: C:\MigData\PC1\USMT
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG
+ ```
+### Deploy PC3
+
+1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt:
+
+ ```
+ New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
+ Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
+ ```
+2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ Disable-NetAdapter "Ethernet 2" -Confirm:$false
+ ```
+
+ >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding.
+
+
+3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Start-VM PC3
+ vmconnect localhost PC3
+ ```
+
+4. When prompted, press ENTER for network boot.
+
+6. On PC3, use the following settings for the Windows Deployment Wizard:
+ - **Task Sequence**: Windows 10 Enterprise x64 Custom Image
+ - **Move Data and Settings**: Do not move user data and settings
+ - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1**
+
+5. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1:
+
+ ```
+ Enable-NetAdapter "Ethernet 2"
+ ```
+7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1.
+
+8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**.
+
+9. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure.
+
+10. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure.
+
+## Troubleshooting logs, events, and utilities
+
+Deployment logs are available on the client computer in the following locations:
+- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS
+- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS
+- After deployment: %WINDIR%\TEMP\DeploymentLogs
+
+You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**.
+
+Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=50012)
+
+Also see [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information.
+
+## Related Topics
+
+[Microsoft Deployment Toolkit](https://technet.microsoft.com/en-US/windows/dn475741)
+[Prepare for deployment with MDT 2013](prepare-for-windows-deployment-with-mdt-2013.md)
+
+
+
+
+
+
+
diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md
new file mode 100644
index 0000000000..ff0b497b45
--- /dev/null
+++ b/windows/deploy/windows-10-poc-sc-config-mgr.md
@@ -0,0 +1,1053 @@
+---
+title: Deploy Windows 10 using System Center Configuration Manager
+description: Deploy Windows 10 in a test lab using System Center Configuration Manager
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# Deploy Windows 10 in a test lab using System Center Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides:
+- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md)
+- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
+
+Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide.
+
+The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
+- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
+- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
+- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes.
+
+This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
+
+>Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**.
+
+## In this guide
+
+This guide provides end-to-end instructions to install and configure System Center Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete.
+
+Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
+
+
+
+
+Topic Description Time
+
+ [Install prerequisites](#install-prerequisites) Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK. 60 minutes
+ [Install System Center Configuration Manager](#install-system-center-configuration-manager) Download System Center Configuration Manager, configure prerequisites, and install the package. 45 minutes
+ [Download MDOP and install DaRT](#download-mdop-and-install-dart) Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10. 15 minutes
+ [Prepare for Zero Touch installation](#prepare-for-zero-touch-installation) Prerequisite procedures to support Zero Touch installation. 60 minutes
+ [Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager) Use the MDT wizard to create the boot image in Configuration Manager. 20 minutes
+ [Create a Windows 10 reference image](#create-a-windows-10-reference-image) This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image. 0-60 minutes
+ [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image) Add a Windows 10 operating system image and distribute it. 10 minutes
+ [Create a task sequence](#Create a task sequence) Create a Configuration Manager task sequence with MDT integration using the MDT wizard 15 minutes
+ [Finalize the operating system configuration](#finalize-the-operating-system-configuration) Enable monitoring, configure rules, and distribute content. 30 minutes
+ [Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager) Deploy Windows 10 using Configuration Manager deployment packages and task sequences. 60 minutes
+ [Refresh a client with Windows 10 using Configuration Manager](#refresh-a-client-with-windows-10-using-configuration-manager) Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT 90 minutes
+ [Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager) Replace a client computer with Windows 10 using Configuration Manager. 90 minutes
+
+ 
+
+5. Click **OK**.
+6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
+
+ ```
+ cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
+
+ abortpxe.com
+ bootmgfw.efi
+ bootmgr.exe
+ pxeboot.com
+ pxeboot.n12
+ wdsmgfw.efi
+ wdsnbp.com
+ ```
+ >If these files are not present, type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
+
+ ```
+ Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
+ ```
+
+ The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the C:\RemoteInstall\SMSBoot\x64 directory. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the C:\RemoteInstall directory is being populated with necessary files:
+
+ Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
+
+ Once the files are present in C:\RemoteInstall, you can close the cmtrace tool.
+
+### Create a branding image file
+
+1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image.
+2. Type the following command at an elevated Windows PowerShell prompt:
+
+ ```
+ copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp"
+ ```
+ >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
+
+
+### Create a boot image for Configuration Manager
+
+1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
+2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
+ - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later.
+3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**.
+4. On the Options page, under **Platform** choose **x64**, and click **Next**.
+5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**.
+6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image.
+7. Click **Finish**.
+8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**.
+9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**.
+10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
+ ```
+
+ In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
+
+ ```
+ STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C)
+ ```
+
+11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
+12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
+13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
+14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
+
+ ```
+ cmd /c dir /s /b C:\RemoteInstall\SMSImages
+
+ C:\RemoteInstall\SMSImages\PS100004
+ C:\RemoteInstall\SMSImages\PS100005
+ C:\RemoteInstall\SMSImages\PS100006
+ C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim
+ C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim
+ C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim
+ ```
+
+ >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT.
+
+### Create a Windows 10 reference image
+
+If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section.
+
+1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
+
+ ```
+ Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
+ ```
+2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
+
+3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
+
+4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+
+5. Use the following settings for the New Deployment Share Wizard:
+ - Deployment share path: **C:\MDTBuildLab**
+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT build lab**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish**
+
+6. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
+
+7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**.
+
+7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
+
+8. Use the following settings for the Import Operating System Wizard:
+ - OS Type: **Full set of source files**
+ - Source: **D:\\**
+ - Destination: **W10Ent_x64**
+ - Summary: click **Next**
+ - Confirmation: click **Finish**
+
+9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/en-us/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic in the TechNet library.
+
+10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+ - Task sequence ID: **REFW10X64-001**
+ - Task sequence name: **Windows 10 Enterprise x64 Default Image**
+ - Task sequence comments: **Reference Build**
+ - Template: **Standard Client Task Sequence**
+ - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
+ - Specify Product Key: **Do not specify a product key at this time**
+ - Full Name: **Contoso**
+ - Organization: **Contoso**
+ - Internet Explorer home page: **http://www.contoso.com**
+ - Admin Password: **Do not specify an Administrator password at this time**
+ - Summary: click **Next**
+ - Confirmation: click **Finish**
+
+11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
+
+12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo.
+
+13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again.
+
+14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**.
+
+15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**.
+
+16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
+ >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
+
+17. Click **OK** to complete editing the task sequence.
+
+18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab.
+
+19. Replace the default rules with the following text:
+
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ _SMSTSORGNAME=Contoso
+ UserDataLocation=NONE
+ DoCapture=YES
+ OSInstall=Y
+ AdminPassword=pass@word1
+ TimeZoneName=Pacific Standard TimeZoneName
+ OSDComputername=#Left("PC-%SerialNumber%",7)#
+ JoinWorkgroup=WORKGROUP
+ HideShell=YES
+ FinishAction=SHUTDOWN
+ DoNotCreateExtraPartition=YES
+ ApplyGPOPack=NO
+ SkipAdminPassword=YES
+ SkipProductKey=YES
+ SkipComputerName=YES
+ SkipDomainMembership=YES
+ SkipUserData=YES
+ SkipLocaleSelection=YES
+ SkipTaskSequence=NO
+ SkipTimeZone=YES
+ SkipApplications=YES
+ SkipBitLocker=YES
+ SkipSummary=YES
+ SkipRoles=YES
+ SkipCapture=NO
+ SkipFinalSummary=NO
+ ```
+
+20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
+
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ DeployRoot=\\SRV1\MDTBuildLab$
+ UserDomain=CONTOSO
+ UserID=MDT_BA
+ UserPassword=pass@word1
+ SkipBDDWelcome=YES
+ ```
+
+21. Click **OK** to complete the configuration of the deployment share.
+
+22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**.
+
+23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**.
+
+24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
+
+ >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
+
+25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
+
+ ```
+ New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
+ Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
+ Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
+ Start-VM REFW10X64-001
+ vmconnect localhost REFW10X64-001
+ ```
+26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
+
+27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
+
+ Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
+
+ - Install the Windows 10 Enterprise operating system.
+ - Install added applications, roles, and features.
+ - Update the operating system using Windows Update (or WSUS if optionally specified).
+ - Stage Windows PE on the local disk.
+ - Run System Preparation (Sysprep) and reboot into Windows PE.
+ - Capture the installation to a Windows Imaging (WIM) file.
+ - Turn off the virtual machine.
+
+ This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**.
+
+### Add a Windows 10 operating system image
+
+1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ New-Item -ItemType Directory -Path "C:Sources\OSD\OS\Windows 10 Enterprise x64"
+ cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
+ ```
+
+2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**.
+
+3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**.
+
+4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**.
+
+5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**.
+
+6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**.
+
+7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes.
+
+ >If content distribution is not successful, verify that sufficient disk space is available.
+
+### Create a task sequence
+
+>Complete this section slowly. There are a large number of similar settings from which to choose.
+
+1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**.
+
+2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**.
+
+3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**.
+
+4. On the Details page, enter the following settings:
+ - Join a domain: **contoso.com**
+ - Account: click **Set**
+ - User name: **contoso\CM_JD**
+ - Password: **pass@word1**
+ - Confirm password: **pass@word1**
+ - Click **OK**
+ - Windows Settings
+ - User name: **Contoso**
+ - Organization name: **Contoso**
+ - Product key: \
+ - Request state storage location to: **Restore state from another computer**
+ - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
+ - Options tab: Select the **Continue on error** checkbox.
+ - Add Condition: **Task Sequence Variable**:
+ - Variable: **USMTLOCAL**
+ - Condition: **not equals**
+ - Value: **True**
+ - Click **OK**.
+ - Click **Apply**
.
+
+6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**.
+
+7. Configure the **Release State Store** action that was just added with the following settings:
+ - Options tab: Select the **Continue on error** checkbox.
+ - Add Condition: **Task Sequence Variable**:
+ - Variable: **USMTLOCAL**
+ - Condition: **not equals**
+ - Value: **True**
+ - Click **OK**.
+ - Click **OK**
.
+
+
+### Finalize the operating system configuration
+
+>If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini.
+
+1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**.
+
+2. Use the following settings for the New Deployment Share Wizard:
+ - Deployment share path: **C:\MDTProduction**
+ - Share name: **MDTProduction$**
+ - Deployment share description: **MDT Production**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish**
+
+3. Right-click the **MDT Production** deployment share, and click **Properties**.
+
+4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
+
+5. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini"
+ ```
+6. Replace the contents of the file with the following text, and then save the file:
+
+ ```
+ [Settings]
+ Priority=Default
+ Properties=OSDMigrateConfigFiles,OSDMigrateMode
+
+ [Default]
+ DoCapture=NO
+ ComputerBackupLocation=NONE
+ OSDMigrateMode=Advanced
+ OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\*
+ OSDMigrateConfigFiles=Miguser.xml,Migapp.xml
+ SLSHARE=\\SRV1\Logs$
+ EventService=http://SRV1:9800
+ ApplyGPOPack=NO
+ ```
+
+ >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts:
+
+ ```
+ OSDMigrateAdditionalCaptureOptions=/all
+ ```
+
+
+7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears.
+
+8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**.
+
+9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**.
+
+10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**.
+
+### Create a deployment for the task sequence
+
+1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**.
+
+2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**.
+
+3. On the Deployment Settings page, use the following settings:
+ - Purpose: **Available**
+ - Make available to the following: **Only media and PXE**
+ - Click **Next**.
+4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages.
+
+5. Click **Close**.
+
+## Deploy Windows 10 using PXE and Configuration Manager
+
+In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings.
+
+1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
+ Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
+ Start-VM PC4
+ vmconnect localhost PC4
+ ```
+
+2. Press ENTER when prompted to start the network boot service.
+
+3. In the Task Sequence Wizard, provide the password: **pass@word1**, and then click **Next**.
+
+4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open.
+
+5. At the command prompt, type **explorer.exe** and review the Windows PE file structure.
+
+6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations:
+ - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted.
+ - x:\smstslog\smsts.log after disks are formatted.
+ - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the System Center Configuration Manager client is installed.
+ - c:\windows\ccm\logs\Smstslog\smsts.log after the System Center Configuration Manager client is installed.
+ - c:\windows\ccm\logs\smsts.log when the task sequence is complete.
+
+ Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open.
+
+7. In the explorer window, click **Tools** and then click **Map Network Drive**.
+
+8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1.
+
+9. Close the Map Network Drive window, the Explorer window, and the command prompt.
+
+10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment.
+
+11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will:
+ - Install Windows 10
+ - Install the Configuration Manager client and hotfix
+ - Join the computer to the contoso.com domain
+ - Install any applications that were specified in the reference image
+
+
+12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account.
+
+13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click Turn Windows features on or off, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image.
+
+14. Shut down the PC4 VM.
+
+## Refresh a client with Windows 10 using Configuration Manager
+
+>Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console to remove stale entries under contoto.com\Computers, but **do not delete the computer account (hostname) for PC1**. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter.
+
+### Install the Configuration Manager client on PC1
+
+1. Verify that PC1 is in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
+
+2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Checkpoint-VM -Name PC1 -SnapshotName BeginState
+ ```
+3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarcy Configuration** and click on **Discovery Methods**.
+4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
+5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times.
+6. When a popup dialog box asks if you want to run full discovery, click **Yes**.
+7. In the Assets and Compliance workspace, expand **Devices** and click **All Systems**. Verify that a computer account for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the hostname of PC1 in this example):
+
+ 
+
+ >If you only see the **Devices** parent node, you can add and view device collections in the tree by clicking **Device Collections** and then double-clicking a device collection.
+
+ The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next.
+
+8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists:
+
+ ```
+ sc stop ccmsetup
+ "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall
+ ```
+ >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the SCCM client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/).
+
+9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue:
+
+ ```
+ net stop wuauserv
+ net stop BITS
+ ```
+
+ Verify that both services were stopped successfully, then type the following at an elevated command prompt:
+
+ ```
+ del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
+ net start BITSexit
+ bitsadmin /list /allusers
+ ```
+
+ Verify that BITSAdmin displays 0 jobs.
+
+10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt:
+
+ ```
+ "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1
+ ```
+11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
+12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress:
+
+ ```
+ Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait
+ ```
+
+ Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation. A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site.
+
+13. On PC1, open the Configuration Manager control panel applet by typing the following command:
+
+ ```
+ control smscfgrc
+ ```
+
+14. Click the **Site** tab and click **Find Site**. The client will report that it has found the PS1 site. See the following example:
+
+ 
+
+ If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**.
+
+15. On SRV1, in the Assets and Compliance workspace, click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
+
+ 
+
+ >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above.
+
+### Create a device collection and deployment
+
+1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**.
+
+2. Use the following settings in the **Create Device Collection Wizard**:
+ - General > Name: **Install Windows 10 Enterprise x64**
+ - General > Limiting collection: **All Systems**
+ - Membership Rules > Add Rule: **Direct Rule**
+ - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - Search for Resources > Resource class: **System Resource**
+ - Search for Resources > Attribute name: **Name**
+ - Search for Resources > Value: **%**
+ - Select Resources > Value: Select the computername associated with the PC1 VM
+ - Click **Next** twice and then click **Close** in both windows.
+
+3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed.
+
+4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**.
+
+5. Use the following settings in the Deploy Sofware wizard:
+ - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
+ - Deployment Settings > Purpose: **Available**
+ - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
+ - Scheduling > Click **Next**
+ - User Experience > Click **Next**
+ - Alerts > Click **Next**
+ - Distribution Points > Click **Next**
+ - Summary > Click **Next**
+ - Verify that the wizard completed successfully and then click **Close**
+
+6. **Important** Before initiating a computer refresh, save a checkpoint for all three computers: PC1, SRV1, and DC1. This ensures that we can restore all computers, including Active Directory and the Configuration Manager client status to the pre-Windows 10 installation state prior to running the replace procedure. To save checkpoints, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Checkpoint-VM -Name PC1 -SnapshotName cm-start
+ Checkpoint-VM -Name SRV1 -SnapshotName cm-start
+ Checkpoint-VM -Name DC1 -SnapshotName cm-start
+ ```
+
+### Initiate the computer refresh
+
+1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**.
+2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box.
+3. On PC1, in the notification area, click **New sofware is available** and then click **Open Sofware Center**.
+4. In the Sofware Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example:
+
+ 
+
+ The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example:
+
+ 
+
+ You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**.
+
+ When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system.
+
+ 
+
+5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required. To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Checkpoint-VM -Name DC1 -SnapshotName cm-refresh
+ Checkpoint-VM -Name SRV1 -SnapshotName cm-refresh
+ Checkpoint-VM -Name PC1 -SnapshotName cm-refresh
+ ```
+
+## Replace a client with Windows 10 using Configuration Manager
+
+Before starting the replace procedure, restore all three VMs using the checkpoints created in the previous procedure. To restore the checkpoints and connect to the VMs again, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+```
+Restore-VMSnapshot -VMName DC1 -Name cm-start -Confirm:$false
+Restore-VMSnapshot -VMName SRV1 -Name cm-start -Confirm:$false
+Restore-VMSnapshot -VMName PC1 -Name cm-start -Confirm:$false
+Start-VM DC1
+vmconnect localhost DC1
+Start-VM SRV1
+vmconnect localhost SRV1
+Start-VM PC1
+vmconnect localhost PC1
+```
+
+>If resources are limited in the Hyper-V environment, SRV1 can require several minutes for all services to start and present the sign-in screen after restoring VMs. Verify that all required services are running, and start any service that are not running. Use the Server Manager dashboard to view and start services. When all services are running, open the Configuration Manager console.
+
+### Create a replace task sequence
+
+1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**.
+
+2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**.
+
+3. On the General page, type the following:
+ - Task sequence name: **Replace Task Sequence**
+ - Task sequence comments: **USMT backup only**
+
+4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue.
+5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue.
+6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue.
+7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue.
+8. On the Summary page, review the details and then click **Next**.
+9. On the Confirmation page, click **Finish**.
+
+>If you receive an error at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration.
+
+### Deploy PC4
+
+Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+```
+New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
+Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
+Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
+```
+
+>Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer.
+
+### Associate PC4 with PC1
+
+1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**.
+
+2. On the Select Source page, choose **Import single computer** and click **Next**.
+
+3. On the Single Computer page, use the following settings:
+ - Computer Name: **PC4**
+ - MAC Address: **00:15:5D:83:26:FF**
+ - Source Computer:
+ - General > Limiting collection: **All Systems**
+ - Membership Rules > Add Rule: **Direct Rule**
+ - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - Search for Resources > Resource class: **System Resource**
+ - Search for Resources > Attribute name: **Name**
+ - Search for Resources > Value: **%**
+ - Select Resources > Value: Select the computername associated with the PC1 VM.
+ - Click **Next** twice and then click **Close** in both windows.
+
+3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed.
+
+### Create a new deployment
+
+In the Configuration Manager console, in the Software Library workspace, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings:
+- General > Collection: **USMT Backup (Replace)**
+- Deployment Settings > Purpose: **Available**
+- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
+- Scheduling: Click **Next**
+- User Experience: Click **Next**
+- Alerts: Click **Next**
+- Distribution Points: Click **Next**
+- Click **Next** and then click **Close**.
+
+### Verify the backup
+
+1. On PC1, open the Configuration Manager control panel applet by typing the following command:
+
+ ```
+ control smscfgrc
+ ```
+2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is another method that can be used in addition to the Client Notification method used previously.
+
+3. Using the Software Center as was done in the previous procedure, click **Operating Systems** and then click **Replace Task Sequence**. See the following example:
+
+ 
+
+4. Click **Install** and then click **INSTALL OPERATING SYSTEM**.
+5. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup.
+
+### Deploy the new computer
+
+1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host:
+
+ ```
+ Start-VM PC4
+ vmconnect localhost PC4
+ ```
+2. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and click **Next**.
+3. Choose the **Windows 10 Enterprise X64** image.
+4. Setup will install the operating system, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1.
+
+
+## Related Topics
+
+[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides)
+
+
+
+
+
+
+
diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md
new file mode 100644
index 0000000000..74b8d0f352
--- /dev/null
+++ b/windows/deploy/windows-10-poc.md
@@ -0,0 +1,1090 @@
+---
+title: Configure a test lab to deploy Windows 10
+description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# Step by step guide: Configure a test lab to deploy Windows 10
+
+**Applies to**
+
+- Windows 10
+
+This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
+
+- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
+- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+
+The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance.
+
+Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software.
+
+Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment.
+
+>Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands.
+
+>A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell.
+
+Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-in-this-guide) used in this guide before starting.
+
+## In this guide
+
+This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings.
+
+After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab.
+
+Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
+
+
+
+
+Topic Description Time
+
+ [Hardware and software requirements](#hardware-and-software-requirements) Prerequisites to complete this guide. Informational
+ [Lab setup](#lab-setup) A description and diagram of the PoC environment. Informational
+ [Configure the PoC environment](#configure-the-poc-environment) Parent topic for procedures. Informational
+ [Verify support and install Hyper-V](#verify-support-and-install-hyper-v) Verify that installation of Hyper-V is supported, and install the Hyper-V server role. 10 minutes
+ [Download VHD and ISO files](#download-vhd-and-iso-files) Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host. 30 minutes
+ [Convert PC to VM](#convert-pc-to-vm) Convert a physical computer on your network to a VM hosted in Hyper-V. 30 minutes
+ [Resize VHD](#resize-vhd) Increase the storage capacity for one of the Windows Server VMs. 5 minutes
+ [Configure Hyper-V](#configure-hyper-v) Create virtual switches, determine available RAM for virtual machines, and add virtual machines. 15 minutes
+ [Configure VHDs](#configure-vhds) Start virtual machines and configure all services and settings. 60 minutes
+ [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) Verify and troubleshoot network connectivity and services in the PoC environment. 30 minutes
+ [Appendix B: Terminology in this guide](#appendix-d-terminology-in-this-guide) Terms used in this guide. Informational
+
+
+
+
+*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide.
+
+
+
+ **Computer 1** (required)
+ **Computer 2** (recommended)
+
+
+ **Role**
+ Hyper-V host
+ Client computer
+
+
+ **Description**
+ This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.
+ This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.
+
+
+ **OS**
+ Windows 8.1/10 or Windows Server 2012/2012 R2/2016*
+ Windows 7 or a later
+
+
+ **Edition**
+ Enterprise, Professional, or Education
+ Any
+
+
+ **Architecture**
+ 64-bit
+ Any
+
Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.
+
+ **RAM**
+ 8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
+
+
16 GB RAM to test Windows 10 deployment with System Center Configuration Manager.Any
+
+
+ **Disk**
+ 200 GB available hard disk space, any format.
+ Any size, MBR formatted.
+
+
+ **CPU**
+ SLAT-Capable CPU
+ Any
+
+
+**Network**
+ Internet connection
+ Any
+
+
The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows.
+
+
+[Download VHD and ISO files](#download-vhd-and-iso-files)
+[Convert PC to VM](#convert-pc-to-vm)
+[Resize VHD](#resize-vhd)
+[Configure Hyper-V](#configure-hyper-v)
+[Configure VMs](#configure-vms)
+
+### Verify support and install Hyper-V
+
+Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](http://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
+
+1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
+
+
+ C:\>systeminfo
+
+ ...
+ Hyper-V Requirements: VM Monitor Mode Extensions: Yes
+ Virtualization Enabled In Firmware: Yes
+ Second Level Address Translation: Yes
+ Data Execution Prevention Available: Yes
+
+
+ In this example, the computer supports SLAT and Hyper-V.
+
+ If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
+
+ You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/en-us/library/cc731397.aspx) tool, or you can download the [coreinfo](http://technet.microsoft.com/en-us/sysinternals/cc835722) utility and run it, as shown in the following example:
+
+
+ C:\>coreinfo -v
+
+ Coreinfo v3.31 - Dump information on system CPU and memory topology
+ Copyright (C) 2008-2014 Mark Russinovich
+ Sysinternals - www.sysinternals.com
+
+ Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+ Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+ Microcode signature: 0000001B
+ HYPERVISOR - Hypervisor is present
+ VMX * Supports Intel hardware-assisted virtualization
+ EPT * Supports Intel extended page tables (SLAT)
+
+
+ Note: A 64-bit operating system is required to run Hyper-V.
+
+2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
+
+ Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
+
+ This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
+
+ Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
+
+ When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt.
+
+ >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
+
+ 
+
+ 
+
+
+
+
+2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type.
+3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
+4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host.
+
+ >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**.
+
+5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO.
+
+After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**.
+
+The following displays the procedures described in this section, both before and after downloading files:
+
+ 
+C:\>mkdir VHD
+C:\>cd VHD
+C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
+C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
+ 1 file(s) copied.
+C:\VHD ren *.iso w10-enterprise.iso
+C:\VHD>dir /B
+2012R2-poc-1.vhd
+2012R2-poc-2.vhd
+w10-enterprise.iso
+
+
+### Convert PC to VM
+
+>Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network.
+
+
+
+If you have a PC available to convert to VM (computer 2):
+
+1. Sign in on computer 2 using an account with Administrator privileges.
+
+>Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network.
+
+2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required.
+3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
+
+#### Determine the VM generation and partition type
+
+When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs.
+
+
+If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
+
+
+
+
+
+
+
+
+
+ Architecture
+ Operating system
+ Partition style
+
+
+ Generation 1
+ 32-bit or 64-bit
+ Windows 7 or later
+ MBR
+
+
+Generation 2
+ 64-bit
+ Windows 8 or later
+ MBR or GPT
+
+Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+
+If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
+
+
+PS C:\> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+SystemName Caption Type
+---------- ------- ----
+USER-PC1 Disk #0, Partition #0 GPT: System
+USER-PC1 Disk #0, Partition #1 GPT: Basic Data
+
+
+On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format:
+
+
+PS C:\> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+
+SystemName Caption Type
+---------- ------- ----
+PC-X1 Disk #0, Partition #0 GPT: Unknown
+PC-X1 Disk #0, Partition #1 GPT: System
+PC-X1 Disk #0, Partition #2 GPT: Basic Data
+PC-X1 Disk #0, Partition #3 GPT: Basic Data
+PC-X1 Disk #0, Partition #4 GPT: Basic Data
+
+PS C:\> Get-Disk
+
+Number Friendly Name OperationalStatus Total Size Partition Style
+------ ------------- ----------------- ---------- ---------------
+0 INTEL SSDSCMMW240A3L Online 223.57 GB GPT
+
+
+**Choosing a VM generation**
+
+The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included.
+
+
+
+
+
+
+ OS
+ Partition style
+ Architecture
+ VM generation
+ Procedure
+
+
+ Windows 7
+ MBR
+ 32
+ 1
+ [Prepare a generation 1 VM](#prepare-a-generation-1-vm)
+
+
+ 64
+ 1
+ [Prepare a generation 1 VM](#prepare-a-generation-1-vm)
+
+
+ GPT
+ 32
+ N/A
+ N/A
+
+
+ 64
+ 1
+ [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)
+
+
+ Windows 8 or later
+ MBR
+ 32
+ 1
+ [Prepare a generation 1 VM](#prepare-a-generation-1-vm)
+
+
+ 64
+ 1, 2
+ [Prepare a generation 1 VM](#prepare-a-generation-1-vm)
+
+
+ GPT
+ 32
+ 1
+ [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)
+
+
+64
+ 2
+ [Prepare a generation 2 VM](#prepare-a-generation-2-vm)
+
+
+
+
+#### Prepare a generation 1 VM
+
+1. Download the [Disk2vhd utility](https://technet.microsoft.com/en-us/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+
+ >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
+
+2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+3. Select the checkboxes next to the **C:\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
+4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
+
+ 
+
+ >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+
+5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
+
+
+ C:\vhd>dir /B
+ 2012R2-poc-1.vhd
+ 2012R2-poc-2.vhd
+ w10-enterprise.iso
+ w7.VHDX
+
+
+#### Prepare a generation 2 VM
+
+1. Download the [Disk2vhd utility](https://technet.microsoft.com/en-us/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+
+ >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
+
+2. On the computer you wish to convert, open an elevated command prompt and type the following command:
+
+ mountvol s: /s
+
+ This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
+
+3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+4. Select the checkboxes next to the **C:\** and the **S:\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected.
+
+ **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired.
+
+5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
+
+ 
+
+ >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+
+6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
+
+
+ C:\vhd>dir /B
+ 2012R2-poc-1.vhd
+ 2012R2-poc-2.vhd
+ w10-enterprise.iso
+ PC1.VHDX
+
+
+#### Prepare a generation 1 VM from a GPT disk
+
+1. Download the [Disk2vhd utility](https://technet.microsoft.com/en-us/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+
+ >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
+
+2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+3. Select the checkbox next to the **C:\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
+4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
+
+ 
+
+ >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+
+5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
+
+
+ C:\vhd>dir /B
+ 2012R2-poc-1.vhd
+ 2012R2-poc-2.vhd
+ w10-enterprise.iso
+ w7.VHD
+
+
+ >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section.
+
+### Resize VHD
+
+
+**Enhanced session mode**
+
+**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
+
+To verify that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt:
+
+Set-VMhost -EnableEnhancedSessionMode $TRUE
+
+>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
+
+
+
+The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images.
+
+1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+
+ Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
+ $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
+ Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
+
+
+2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive:
+
+
+ Get-Volume -DriveLetter $x
+ Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd
+
+### Configure Hyper-V
+
+1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external":
+
+ >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
+ A) Remove the existing external virtual switch, then add the poc-external switch
+ B) Rename the existing external switch to "poc-external"
+ C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
+ If you choose B) or C), then do not run the second command below.
+
+
+ New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
+ New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
+
+
+ **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host.
+
+ >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"
+
+2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
+
+
+ (Get-VMHostNumaNode).MemoryAvailable
+
+
+ This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory.
+
+3. Determine the available memory for VMs by dividing the available RAM by 4. For example:
+
+
+ (Get-VMHostNumaNode).MemoryAvailable/4
+ 2775.5
+
+
+ In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously.
+
+4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later.
+ >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step.
+
+
+ $maxRAM = 2700MB
+ New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
+ Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+ Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1
+ New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
+ Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
+ Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
+ Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
+
+
+ **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues.
+
+5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
+
+ To create a generation 1 VM (using c:\vhd\w7.vhdx):
+
+
+ New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
+ Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+ Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+
+
+ To create a generation 2 VM (using c:\vhd\PC1.vhdx):
+
+
+ New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
+ Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+ Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+
+
+ To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd):
+
+ >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed.
+
+ First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands:
+
+
+ New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
+ Mount-VHD -Passthru |
+ Get-Disk -Number {$_.DiskNumber} |
+ Initialize-Disk -PartitionStyle MBR -PassThru |
+ New-Partition -UseMaximumSize |
+ Format-Volume -Confirm:$false -FileSystem NTFS -force
+ Dismount-VHD -Path c:\vhd\d.vhd
+
+
+ Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell promt):
+
+
+ New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
+ Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
+ Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
+ Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
+ Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
+ Start-VM PC1
+ vmconnect localhost PC1
+
+
+ The VM will automatically boot into Windows Setup. In the PC1 window:
+
+ 1. Click **Next**.
+ 2. Click **Repair your computer**.
+ 3. Click **Troubleshoot**.
+ 4. Click **Command Prompt**.
+ 5. Type the following command to save an image of the OS drive:
+
+
+ dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
+
+
+ 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
+
+
+ diskpart
+ select disk 0
+ clean
+ convert MBR
+ create partition primary size=100
+ format fs=ntfs quick
+ active
+ create partition primary
+ format fs=ntfs quick label=OS
+ assign letter=c
+ exit
+
+
+ 7. Type the following commands to restore the OS image and boot files:
+
+
+ dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
+ bcdboot c:\windows
+ exit
+
+
+ 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD).
+ 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**.
+ 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
+
+
+ Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
+ Set-VMDvdDrive -VMName PC1 -Path $null
+
+
+### Configure VMs
+
+1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands:
+
+
+ Start-VM DC1
+ vmconnect localhost DC1
+
+
+2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of **pass@word1**, and click **Finish**.
+3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
+4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
+5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
+
+
+ Rename-Computer DC1
+ New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
+ Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
+
+
+ >The default gateway at 192.168.0.2 will be configured later in this guide.
+
+ >Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt.
+
+6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt:
+
+
+ Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
+
+
+7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt:
+
+
+ Restart-Computer
+
+
+8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt:
+
+
+ $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+ Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
+
+
+ Ignore any warnings that are displayed. The computer will automatically reboot upon completion.
+
+9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and supress the post-DHCP-install alert:
+
+
+ Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
+ Add-WindowsFeature -Name DHCP -IncludeManagementTools
+ netsh dhcp add securitygroups
+ Restart-Service DHCPServer
+ Add-DhcpServerInDC dc1.contoso.com 192.168.0.1
+ Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
+
+
+10. Next, add a DHCP scope and set option values:
+
+
+ Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
+ Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
+
+
+ >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0.
+
+11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
+
+
+ Get-DnsServerForwarder
+
+
+ The following output should be displayed:
+
+
+ UseRootHint : True
+ Timeout(s) : 3
+ EnableReordering : True
+ IPAddress : 192.168.0.2
+ ReorderedIPAddress : 192.168.0.2
+
+
+ If this output is not displayed, you can use the following command to add SRV1 as a forwarder:
+
+
+ Add-DnsServerForwarder -IPAddress 192.168.0.2
+
+
+12. Minimize the DC1 VM window but **do not stop** the VM.
+
+ Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain.
+
+13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
+
+
+ Start-VM PC1
+ vmconnect localhost PC1
+
+
+14. Sign in to PC1 using an account that has local administrator rights.
+
+ >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
+
+15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
+
+ 
+
+ >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
+
+16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**.
+
+17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller.
+
+ To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection:
+
+ ```
+ ipconfig
+
+ Windows IP Configuration
+
+ Ethernet adapter Local Area Connection 3:
+ Connection-specific DNS Suffix . : contoso.com
+ Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18
+ Ipv4 Address. . . . . . . . . . . : 192.168.0.101
+ Subnet Mask . . . . . . . . . . . : 255.255.255.0
+ Default Gateway . . . . . . . . . : 192.168.0.2
+
+ ping dc1.contoso.com
+
+ Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data:
+ Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
+ Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
+ Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
+ Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
+
+ nltest /dsgetdc:contoso.com
+ DC: \\DC1
+ Address: \\192.168.0.1
+ Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8
+ Dom Name: CONTOSO
+ Forest Name: contoso.com
+ Dc Site Name: Default-First-Site-Name
+ Our Site Name: Default-First-Site-Name
+ Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000
+ ```
+
+ >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
+
+18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
+
+
+ (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
+ $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+ $user = "contoso\administrator"
+ $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
+ Add-Computer -DomainName contoso.com -Credential $cred
+ Restart-Computer
+
+
+ >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**.
+
+ See the following example:
+
+ 
+
+19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
+20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
+
+
+ Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
+ Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1" –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
+
+
+ >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
+
+ If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
+
+21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
+
+
+ Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
+
+
+ >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
+
+22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section.
+ >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
+23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
+24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
+
+
+ Start-VM SRV1
+ vmconnect localhost SRV1
+
+
+25. Accept the default settings, read license terms and accept them, provide an administrator password of **pass@word1**, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**.
+26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
+27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands:
+
+
+ Rename-Computer SRV1
+ New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
+ Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
+ Restart-Computer
+
+
+28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt:
+
+
+ $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
+ $user = "contoso\administrator"
+ $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
+ Add-Computer -DomainName contoso.com -Credential $cred
+ Restart-Computer
+
+
+29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands:
+
+
+ Install-WindowsFeature -Name DNS -IncludeManagementTools
+ Install-WindowsFeature -Name WDS -IncludeManagementTools
+ Install-WindowsFeature -Name Routing -IncludeManagementTools
+
+
+30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease.
+
+ To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below:
+
+
+ Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
+
+ IPAddress InterfaceAlias
+ --------- --------------
+ 10.137.130.118 Ethernet 2
+ 192.168.0.2 Ethernet
+
+
+ In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services.
+
+31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+
+ Install-RemoteAccess -VpnType Vpn
+ cmd /c netsh routing ip nat install
+ cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
+ cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
+ cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
+
+
+32. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
+
+
+ Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
+
+
+33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
+
+
+ ping www.microsoft.com
+
+
+ If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
+
+ **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
+
+
+ Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
+
+
+34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK):
+
+
+ PS C:\> ping www.microsoft.com
+
+ Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
+ Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
+ Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
+ Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
+ Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
+
+ Ping statistics for 23.222.146.170:
+ Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
+ Approximate round trip times in milli-seconds:
+ Minimum = 1ms, Maximum = 3ms, Average = 2ms
+
+
+35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-b-verify-the-configuration) for more information.
+36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
+
+
+ runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
+ Restart-Computer
+
+
+### Configure service and user accounts
+
+Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
+
+>To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+On DC1, open an elevated Windows PowerShell prompt and type the following commands:
+
+
+New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
+Set-ADUser -Identity user1 -PasswordNeverExpires $true
+Set-ADUser -Identity administrator -PasswordNeverExpires $true
+Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
+Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
+Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
+
+
+This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
+
+## Appendix A: Verify the configuration
+
+Use the following procedures to verify that the PoC environment is configured properly and working as expected.
+
+1. On DC1, open an elevated Windows PowerShell prompt and type the following commands:
+
+
+ Get-Service NTDS,DNS,DHCP
+ DCDiag -a
+ Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
+ Get-DnsServerForwarder
+ Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
+ Get-DhcpServerInDC
+ Get-DhcpServerv4Statistics
+ ipconfig /all
+
+
+ **Get-Service** displays a status of "Running" for all three services.
+ **DCDiag** displays "passed test" for all tests.
+ **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
+ **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
+ **Resolve-DnsName** displays public IP address results for www.microsoft.com.
+ **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.
+ **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
+ **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2.
+
+2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
+
+
+ Get-Service DNS,RemoteAccess
+ Get-DnsServerForwarder
+ Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
+ ipconfig /all
+ netsh int ipv4 show address
+
+
+ **Get-Service** displays a status of "Running" for both services.
+ **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
+ **Resolve-DnsName** displays public IP address results for www.microsoft.com.
+ **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
+ **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1.
+
+3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
+
+
+ whoami
+ hostname
+ nslookup www.microsoft.com
+ ping -n 1 dc1.contoso.com
+ tracert www.microsoft.com
+
+
+ **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
+ **hostname** displays the name of the local computer, for example W7PC-001.
+ **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.
+ **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
+ **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
+
+
+## Appendix B: Terminology used in this guide
+
+
+
+
+Term Definition
+ GPT GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.
+ Hyper-V Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.
+ Hyper-V host The computer where Hyper-V is installed.
+ Hyper-V Manager The user-interface console used to view and configure Hyper-V.
+ MBR Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.
+ Proof of concept (PoC) Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.
+ Shadow copy A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.
+ Virtual machine (VM) A VM is a virtual computer with its own operating system, running on the Hyper-V host.
+ Virtual switch A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.
+ VM snapshot A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.
+
- Name-based policies, without the
- /*AppCompat*/ stringName-based policies, using the
+ /*AppCompat*/ string or proxy-based policiesName-based policies, without the /*AppCompat*/ string
+ Name-based policies, using the /*AppCompat*/ string or proxy-based policies
Not required. App connects to enterprise cloud resources directly, using an IP address.
@@ -96,7 +96,7 @@ This table includes info about how enlightened apps might behave, based on your
Endpoint URL
- https://DataAccess-PRD.trafficmanager.net:444/api/alerts
+ Depending on the location of your datacenter, select either the EU or the US URL: **For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts **For US:** https://wdatp-alertexporter-us.windows.com/api/alerts
+
HTTP Method
diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md
index 350d5e1f54..49801ae337 100644
--- a/windows/keep-secure/create-wip-policy-using-sccm.md
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@@ -436,11 +436,11 @@ There are no default locations included with WIP, you must add each of your netw
- - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
+ - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
- - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
+ - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
- - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
+ - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index a92cf8f9f5..8c70f3782d 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -9,95 +9,131 @@ ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
+
# Protect derived domain credentials with Credential Guard
**Applies to**
- Windows 10
- Windows Server 2016
-Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.
+Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
-Credential Guard offers the following features and solutions:
+By enabling Credential Guard, the following features and solutions are provided:
-- **Hardware security** Credential Guard increases the security of derived domain credentials by taking advantage of platform security features including, Secure Boot and virtualization.
-- **Virtualization-based security** Windows services that manage derived domain credentials and other secrets run in a protected environment that is isolated from the running operating system.
-- **Better protection against advanced persistent threats** Securing derived domain credentials using the virtualization-based security blocks the credential theft attack techniques and tools used in many targeted attacks. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
-- **Manageability** You can manage Credential Guard by using Group Policy, WMI, from a command prompt, and Windows PowerShell.
+- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
+- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
+- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
## How it works
-Credential Guard isolates secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+Kerberos, NTLM, and Credential manager isolate secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
-Credential Guard prevents NTLMv1, MS-CHAPv2, Digest, and CredSSP from using sign-on credentials. Thus, single sign-on does not work with these protocols. However, Credential guard allows these protocols to be used with prompted credentials or those saved in Credential Manager. It is strongly recommended that valuable credentials, such as the sign-on credentials, not be used with any of these protocols. If these protocols must be used by domain users, secondary credentials should be provisioned for these use cases.
+When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocol. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
-Credential Guard does not allow unconstrained Kerberos delegation or Kerberos DES encryption at all. Neither sign-on nor prompted/saved credentials may be used.
+When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
-## Hardware and software requirements
+## Requirements
+
+For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations).
+
+### Hardware and software requirements
To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats.
-You can deploy Credential Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
+To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses:
+- Support for Virtualization-based security (required)
+- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
+- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
+
+The Virtualization-based security requires:
+- 64 bit CPU
+- CPU virtualization extensions plus extended page tables
+- Windows hypervisor
+
+### Application requirements
+
+When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
+
+>[!WARNING]
+> Enabling Credential Guard on domain controllers is not supported.
+> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes.
+
+>[!NOTE]
+> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
+
+Applications will break if they require:
+- Kerberos DES encryption support
+- Kerberos unconstrained delegation
+- Extracting the Kerberos TGT
+- NTLMv1
+
+Applications will prompt & expose credentials to risk if they require:
+- Digest authentication
+- Credential delegation
+- MS-CHAPv2
+
+Applications may cause performance issues when they attempt to hook the isolated Credential Guard process.
+
+### Security considerations
The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
> [!NOTE]
-> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
-> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
+> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. This requirement is not restated in the tables that follow.
+> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
> Starting in Widows 10, 1607, TPM 2.0 is required.
+#### Baseline protection recommendations
-## Credential Guard requirements for baseline protections
-
-|Baseline Protections - requirement | Description |
+|Baseline Protections | Description |
|---------------------------------------------|----------------------------------------------------|
| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
- VT-x (Intel) or
- AMD-V
And:
- Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
+| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
> [!IMPORTANT]
-> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide.
+> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security to significantly strengthen the level of security that Credential Guard can provide.
-## Credential Guard requirements for improved security
+#### 2015 Additional Security Recommendations (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
-The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
-
-### 2015 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
-
-| Protections for Improved Security - requirement | Description |
+| Protections for Improved Security | Description |
|---------------------------------------------|----------------------------------------------------|
| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU
**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-| Firmware: **Secure MOR implementation** | **Requirement**: Secure MOR implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
-### 2016 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1607, and Windows Server 2016)
+#### 2016 Additional Security Recommendations (starting with Windows 10, version 1607, and Windows Server 2016)
> [!IMPORTANT]
> The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Credential Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
-| Protections for Improved Security - requirement | Description |
+| Protections for Improved Security | Description |
|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
- HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI provides additional security assurance for correctly secured silicon and platform. |
| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
- Enterprises can choose to allow proprietary EFI drivers/applications to run.
- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-### 2017 Additional Qualification Requirements for Credential Guard (starting with the next major release of Windows 10)
+#### 2017 Additional security requirements starting with Windows 10, version 1703
-| Protection for Improved Security - requirement | Description |
+The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements.
+
+| Protection for Improved Security | Description |
|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required for in non-volitile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code
**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
## Manage Credential Guard
@@ -145,11 +181,11 @@ You can do this by using either the Control Panel or the Deployment Image Servic
1. Open an elevated command prompt.
2. Add the Hyper-V Hypervisor by running the following command:
- ``` syntax
+ ```
dism /image:
**Set-RuleOption -FilePath $InitialCIPolicy -Option 0**
+ > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
+
+ > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.”
- > - You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.”
-
- > - To specify that the code integrity policy scan only a specific drive, include the *–ScanPath* parameter followed by a path. Without this parameter, the entire system is scanned.
+ > - To specify that the code integrity policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned.
> - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
index 9f7be87cbb..b03c8c1332 100644
--- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
@@ -30,10 +30,10 @@ For information about enabling Credential Guard, see [Protect derived domain cre
In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS:
-- With Windows 10, version 1607 or Windows Server 2016:
+- Beginning with Windows 10, version 1607 or Windows Server 2016:
Hyper-V Hypervisor, which is enabled automatically. No further action is needed.
-- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
+- With an earlier version of Windows 10:
Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1).
> **Note** You can configure these features by using Group Policy or Deployment Image Servicing and Management, or manually by using Windows PowerShell or the Windows Features dialog box.
@@ -42,12 +42,8 @@ Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1).
**Figure 1. Enable operating system features for VBS, Windows 10, version 1511**
-After you enable the feature or features, you can enable VBS for Device Guard, as described in the following sections.
-
## Enable Virtualization Based Security (VBS) and Device Guard
-Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
-
There are multiple ways to configure VBS features for Device Guard:
- You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic.
@@ -68,7 +64,7 @@ There are multiple ways to configure VBS features for Device Guard:
3. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
-4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
+4. Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
@@ -91,7 +87,7 @@ There are multiple ways to configure VBS features for Device Guard:
- With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:
For an initial deployment or test deployment, we recommend **Enabled without lock**.
When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
- - With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
Select the **Enable Virtualization Based Protection of Code Integrity** check box.
+ - With earlier versions of Windows 10:
Select the **Enable Virtualization Based Protection of Code Integrity** check box.
@@ -183,7 +179,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
```
If you want to customize the preceding recommended settings, use the following settings.
@@ -211,7 +207,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforc
**To enable virtualization-based protection of Code Integrity policies without UEFI lock**
``` command
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
```
### Validate enabled Device Guard hardware-based security features
diff --git a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md
index 10001b50e6..9ef4617e9f 100644
--- a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md
+++ b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md
@@ -22,9 +22,9 @@ This policy setting determines whether the Lightweight Directory Access Protocol
Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult.
-This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL.
+This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/636).
-If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected.
+If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389).
>**Caution:** If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.
diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
index e3c6cbddf6..b3077d445a 100644
--- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
+++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
@@ -6,7 +6,7 @@ ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
-localizationpriority: high
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-enable-phone-signin
---
# Enable phone sign-in to PC or VPN
@@ -17,74 +17,3 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
-In Windows 10, version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app.
-
-
-
-> [!NOTE]
-> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
-You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone.
-
- ## Prerequisites
-
- - Both phone and PC must be running Windows 10, version 1607.
- - The PC must be running Windows 10 Pro, Enterprise, or Education
- - Both phone and PC must have Bluetooth.
- - The **Microsoft Authenticator** app must be installed on the phone.
- - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
- - The phone must be joined to Azure AD or have a work account added.
- - The VPN configuration profile must use certificate-based authentication.
-
-## Set policies
-
-To enable phone sign-in, you must enable the following policies using Group Policy or MDM.
-
-- Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**
- - Enable **Use Windows Hello for Business**
- - Enable **Phone Sign-in**
-- MDM:
- - Set **UsePassportForWork** to **True**
- - Set **Remote\UseRemotePassport** to **True**
-
-## Configure VPN
-
-To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows:
-
-- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate.
-- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate.
-
-## Get the app
-
-If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md).
-
-[Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote)
-
-
-## Related topics
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/keep-secure/event-4774.md b/windows/keep-secure/event-4774.md
index 2b626f9576..0616a1e887 100644
--- a/windows/keep-secure/event-4774.md
+++ b/windows/keep-secure/event-4774.md
@@ -1,6 +1,6 @@
---
-title: 4774(S) An account was mapped for logon. (Windows 10)
-description: Describes security event 4774(S) An account was mapped for logon.
+title: 4774(S, F) An account was mapped for logon. (Windows 10)
+description: Describes security event 4774(S, F) An account was mapped for logon.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -8,14 +8,13 @@ ms.sitesec: library
author: Mir0sh
---
-# 4774(S): An account was mapped for logon.
+# 4774(S, F): An account was mapped for logon.
**Applies to**
- Windows 10
- Windows Server 2016
-
-It appears that this event never occurs.
+Success events do not appear to occur. Failure event [has been reported](http://forum.ultimatewindowssecurity.com/Topic7313-282-1.aspx).
***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md)
@@ -23,11 +22,11 @@ It appears that this event never occurs.
*An account was mapped for logon.*
-*Authentication Package:%1*
+*Authentication Package:Schannel*
-*Account UPN:%2*
+*Account UPN:*<*Acccount*>@<*Domain*>
-*Mapped Name:%3*
+*Mapped Name:*<*Account*>
***Required Server Roles:*** no information.
diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md
index 10bf96e580..ff64be6d0f 100644
--- a/windows/keep-secure/guidance-and-best-practices-wip.md
+++ b/windows/keep-secure/guidance-and-best-practices-wip.md
@@ -22,11 +22,10 @@ This section includes info about the enlightened Microsoft apps, including how t
## In this section
|Topic |Description |
|------|------------|
-|[Windows Information Protection (WIP) overview](wip-enterprise-overview.md) |High-level overview info about why to use WIP, the enterprise scenarios, and how to turn it off. |
-|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. |
-|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
-|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |
-|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |The most common problems you might encounter while using Windows Information Protection (WIP). |
+|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
+|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |Learn the difference between enlightened and unenlightened app behaviors. |
+|[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |Recommended additions for the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). |
+|[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook Web Access (OWA) with Windows Information Protection (WIP). |
>[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/keep-secure/hello-and-password-changes.md b/windows/keep-secure/hello-and-password-changes.md
new file mode 100644
index 0000000000..dc6bb1e021
--- /dev/null
+++ b/windows/keep-secure/hello-and-password-changes.md
@@ -0,0 +1,49 @@
+---
+title: Windows Hello and password changes (Windows 10)
+description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
+ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: DaniHalfin
+localizationpriority: high
+---
+# Windows Hello and password changes
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
+
+## Example
+
+Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account.
+Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
+
+Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
+
+>[!NOTE]
+>This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
+
+## How to update Hello after you change your password on another device
+
+1. When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
+2. Click **OK.**
+3. Click **Sign-in options**.
+4. Click the **Password** button.
+5. Sign in with new password.
+6. The next time that you sign in, you can select **Sign-in options** and then select **PIN** to resume using your PIN.
+
+## Related topics
+
+- [Windows Hello for Business](hello-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/hello-biometrics-in-enterprise.md b/windows/keep-secure/hello-biometrics-in-enterprise.md
new file mode 100644
index 0000000000..caf9da8a9b
--- /dev/null
+++ b/windows/keep-secure/hello-biometrics-in-enterprise.md
@@ -0,0 +1,97 @@
+---
+title: Windows Hello biometrics in the enterprise (Windows 10)
+description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
+ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
+keywords: Windows Hello, enterprise biometrics
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Windows Hello biometrics in the enterprise
+**Applies to:**
+
+- Windows 10
+
+Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
+
+>[!NOTE]
+>When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+
+Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
+
+##How does Windows Hello work?
+Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
+
+The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
+
+## Why should I let my employees use Windows Hello?
+Windows Hello provides many benefits, including:
+
+- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge.
+
+- Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords!
+
+- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic.
+
+## Where is Microsoft Hello data stored?
+The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.
+
+## Has Microsoft set any device requirements for Windows Hello?
+We’ve been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
+
+- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm.
+
+- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
+
+### Fingerprint sensor requirements
+To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee’s unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required) and a way to configure them (optional).
+
+**Acceptable performance range for small to large size touch sensors**
+
+- False Accept Rate (FAR): <0.001 – 0.002%
+
+- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
+
+- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
+
+**Acceptable performance range for swipe sensors**
+
+- False Accept Rate (FAR): <0.002%
+
+- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
+
+- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
+
+### Facial recognition sensors
+To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee’s facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
+
+- False Accept Rate (FAR): <0.001
+
+- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
+
+- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
+
+## Related topics
+- [Windows Hello for Business](hello-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [PassportforWork CSP](https://go.microsoft.com/fwlink/p/?LinkId=708219)
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/hello-enable-phone-signin.md b/windows/keep-secure/hello-enable-phone-signin.md
new file mode 100644
index 0000000000..b325dd3b58
--- /dev/null
+++ b/windows/keep-secure/hello-enable-phone-signin.md
@@ -0,0 +1,84 @@
+---
+title: Enable phone sign-in to PC or VPN (Windows 10)
+description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone.
+keywords: ["identity", "PIN", "biometric", "Hello"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Enable phone sign-in to PC or VPN
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+In Windows 10, version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app.
+
+
+
+> [!NOTE]
+> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
+You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone.
+
+ ## Prerequisites
+
+ - Both phone and PC must be running Windows 10, version 1607.
+ - The PC must be running Windows 10 Pro, Enterprise, or Education
+ - Both phone and PC must have Bluetooth.
+ - The **Microsoft Authenticator** app must be installed on the phone.
+ - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
+ - The phone must be joined to Azure AD or have a work account added.
+ - The VPN configuration profile must use certificate-based authentication.
+
+## Set policies
+
+To enable phone sign-in, you must enable the following policies using Group Policy or MDM.
+
+- Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**
+ - Enable **Use Windows Hello for Business**
+ - Enable **Phone Sign-in**
+- MDM:
+ - Set **UsePassportForWork** to **True**
+ - Set **Remote\UseRemotePassport** to **True**
+
+## Configure VPN
+
+To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows:
+
+- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate.
+- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate.
+
+## Get the app
+
+If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md).
+
+[Tell people how to sign in using their phone.](hello-prepare-people-to-use.md#bmk-remote)
+
+
+## Related topics
+
+- [Windows Hello for Business](hello-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/keep-secure/hello-errors-during-pin-creation.md
new file mode 100644
index 0000000000..98dce6bbda
--- /dev/null
+++ b/windows/keep-secure/hello-errors-during-pin-creation.md
@@ -0,0 +1,233 @@
+---
+title: Windows Hello errors during PIN creation (Windows 10)
+description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step.
+ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
+keywords: PIN, error, create a work PIN
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Windows Hello errors during PIN creation
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
+
+## Where is the error code?
+
+The following image shows an example of an error during **Create a PIN**.
+
+
+
+## Error mitigations
+
+When a user encounters an error when creating the work PIN, advise the user to try the following steps. Many errors can be mitigated by one of these steps.
+1. Try to create the PIN again. Some errors are transient and resolve themselves.
+2. Sign out, sign in, and try to create the PIN again.
+3. Reboot the device and then try to create the PIN again.
+4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a desktop PC, go to **Settings** > **System** > **About** and select **Disconnect from organization**. To unjoin a device running Windows 10 Mobile, you must [reset the device](https://go.microsoft.com/fwlink/p/?LinkId=715697).
+5. On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](https://go.microsoft.com/fwlink/p/?LinkId=715697).
+If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
+
+
+
+
+
+
+## Errors with unknown mitigation
+For errors listed in this table, contact Microsoft Support for assistance.
+
+| Hex | Cause |
+|-------------|---------|
+| 0x80072f0c | Unknown |
+| 0x80070057 | Invalid parameter or argument is passed |
+| 0x80090027 | Caller provided wrong parameter. If third-party code receives this error they must change their code. |
+| 0x8009002D | NTE\_INTERNAL\_ERROR |
+| 0x80090020 | NTE\_FAIL |
+| 0x801C0001 | ADRS server response is not in valid format |
+| 0x801C0002 | Server failed to authenticate the user |
+| 0x801C0006 | Unhandled exception from server |
+| 0x801C000C | Discovery failed |
+| 0x801C001B | The device certificate is not found |
+| 0x801C000B | Redirection is needed and redirected location is not a well known server |
+| 0x801C0019 | The federation provider client configuration is empty |
+| 0x801C001A | The DRS endpoint in the federation provider client configuration is empty |
+| 0x801C0013 | Tenant ID is not found in the token |
+| 0x801C0014 | User SID is not found in the token |
+| 0x801C03F1 | There is no UPN in the token |
+| 0x801C03F0 | There is no key registered for the user |
+| 0x801C03F1 | There is no UPN in the token |
+| 0x801C044C | There is no core window for the current thread |
+
+
+## Related topics
+
+- [Windows Hello for Business](hello-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/hello-event-300.md b/windows/keep-secure/hello-event-300.md
new file mode 100644
index 0000000000..a59c57e6be
--- /dev/null
+++ b/windows/keep-secure/hello-event-300.md
@@ -0,0 +1,45 @@
+---
+title: Event ID 300 - Windows Hello successfully created (Windows 10)
+description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
+ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
+keywords: ngc
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Event ID 300 - Windows Hello successfully created
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
+
+## Event details
+
+| **Product:** | Windows 10 operating system |
+| --- | --- |
+| **ID:** | 300 |
+| **Source:** | Microsoft Azure Device Registration Service |
+| **Version:** | 10 |
+| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da.Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
+
+## Resolve
+
+This is a normal condition. No further action is required.
+
+## Related topics
+
+- [Windows Hello for Business](hello-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md
new file mode 100644
index 0000000000..8a3c433fa4
--- /dev/null
+++ b/windows/keep-secure/hello-how-it-works.md
@@ -0,0 +1,121 @@
+---
+title: How Windows Hello for Business works (Windows 10)
+description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: DaniHalfin
+localizationpriority: high
+---
+# How Windows Hello for Business works
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+TWindows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
+
+## Register a new user or device
+
+A goal of device registration is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Windows Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Windows Hello as registration.
+
+> [!NOTE]
+>This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure Active Directory (Azure AD); that configuration information is in [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md). Organizational configuration must be completed before users can begin to register.
+
+ The registration process works like this:
+
+1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it.
+2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends.
+3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately
+
+The PIN chosen is associated with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are:
+
+- A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers a second authentication factor from the IDP side (if required); after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
+- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
+- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
+
+When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and protects this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. Each unique gesture generates a unique protector key. The protector key securely wraps the authentication key. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
+
+At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely sign in to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures.
+
+## What’s a container?
+
+You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
+
+The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD.
+
+It’s important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders.
+
+The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
+
+
+
+Containers can contain several types of key material:
+
+- An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
+- Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked.
+- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
+ - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](https://technet.microsoft.com/library/hh831498.aspx). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
+ - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI.
+
+## How keys are protected
+
+Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
+
+Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
+
+
+## Authentication
+
+When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
+
+These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Windows Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
+
+For example, the authentication process for Azure Active Directory works like this:
+
+1. The client sends an empty authentication request to the IDP. (This is merely for the handshake process.)
+2. The IDP returns a challenge, known as a nonce.
+3. The device signs the nonce with the appropriate private key.
+4. The device returns the original nonce, the signed nonce, and the ID of the key used to sign the nonce.
+5. The IDP fetches the public key that the key ID specified, uses it to verify the signature on the nonce, and verifies that the nonce the device returned matches the original.
+6. If all the checks in step 5 succeed, the IDP returns two data items: a symmetric key, which is encrypted with the device’s public key, and a security token, which is encrypted with the symmetric key.
+7. The device uses its private key to decrypt the symmetric key, and then uses that symmetric key to decrypt the token.
+8. The device makes a normal authentication request for the original resource, presenting the token from the IDP as its proof of authentication.
+
+When the IDP validates the signature, it is verifying that the request came from the specified user and device. The private key specific to the device signs the nonce, which allows the IDP to determine the identity of the requesting user and device so that it can apply policies for content access based on user, device type, or both together. For example, an IDP could allow access to one set of resources only from mobile devices and a different set from desktop devices.
+
+
+## The infrastructure
+
+Windows Hello depends on having compatible IDPs available to it. As of this writing, that means you have four deployment possibilities:
+
+- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to users. You can use NDES to register devices directly, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello.
+- The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required.
+- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related topics
+
+- [Windows Hello for Business](hello-identity-verification.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md
new file mode 100644
index 0000000000..7e5139aeaf
--- /dev/null
+++ b/windows/keep-secure/hello-identity-verification.md
@@ -0,0 +1,129 @@
+---
+title: Windows Hello for Business (Windows 10)
+description: IWindows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices.
+ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+localizationpriority: high
+---
+# Windows Hello for Business
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
+
+>[!NOTE]
+> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+
+Windows Hello addresses the following problems with passwords:
+- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
+- Server breaches can expose symmetric network credentials (passwords).
+- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
+- Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
+
+Windows Hello lets users authenticate to:
+- a Microsoft account.
+- an Active Directory account.
+- a Microsoft Azure Active Directory (Azure AD) account.
+- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication (in progress)
+
+After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
+
+As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
+
+## Biometric sign-in
+
+ Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials.
+
+- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
+- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10.
+
+Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data.
+
+
+## The difference between Windows Hello and Windows Hello for Business
+
+- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, however it is not backed by asymmetric (public/private key) or certificate-based authentication.
+
+- Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, uses key-based or certificate-based authentication.
+
+- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication. Support for key-based or certificate-based authentication is on the roadmap for a future release.
+
+## Benefits of Windows Hello
+
+Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
+
+You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
+
+In Windows 10, Windows Hello replaces passwords. When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services.
+
+>[!NOTE]
+>Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.
+
+
+
+Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
+
+Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
+
+For customers using a hybrid Active Directory and Azure Active Directorye environment, Windows Hello also enables Windows 10 Mobile devices to be used as [a remote credential](hello-prepare-people-to-use.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Windows Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Windows Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
+
+> [!NOTE]
+> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
+
+## How Windows Hello for Business works: key points
+
+- Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
+- Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.
+- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
+- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Windows Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
+- Private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
+- PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.
+- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
+- Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
+
+For details, see [How Windows Hello for Business works](hello-how-it-works.md).
+
+## Comparing key-based and certificate-based authentication
+
+Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
+
+
+
+## Learn more
+
+[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/830/Implementing-Windows-Hello-for-Business-at-Microsoft)
+
+[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
+
+[What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](https://go.microsoft.com/fwlink/p/?LinkId=708533)
+
+[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024)
+
+[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995)
+
+[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
+
+[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
+
+[Authenticating identities without passwords through Windows Hello for Business](https://go.microsoft.com/fwlink/p/?LinkId=616778)
+
+## Related topics
+
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+
diff --git a/windows/keep-secure/hello-manage-in-organization.md b/windows/keep-secure/hello-manage-in-organization.md
new file mode 100644
index 0000000000..beca5f89e3
--- /dev/null
+++ b/windows/keep-secure/hello-manage-in-organization.md
@@ -0,0 +1,390 @@
+---
+title: Manage Windows Hello in your organization (Windows 10)
+description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
+ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
+keywords: identity, PIN, biometric, Hello
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Manage Windows Hello for Business in your organization
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
+
+>[!IMPORTANT]
+>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
+>
+>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
+>
+>Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business.
+
+## Group Policy settings for Windows Hello for Business
+
+The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
+
+
+
+
+
+
+
+Hex
+Cause
+Mitigation
+
+
+
+0x801C044D
+Authorization token does not contain device ID
+Unjoin the device from Azure AD and rejoin
+
+
+0x80090036
+User cancelled an interactive dialog
+User will be asked to try again
+
+
+0x80090011
+The container or key was not found
+Unjoin the device from Azure AD and rejoin
+
+
+0x8009000F
+The container or key already exists
+Unjoin the device from Azure AD and rejoin
+
+
+0x8009002A
+NTE_NO_MEMORY
+Close programs which are taking up memory and try again.
+
+ 0x80090005
+NTE_BAD_DATA
+Unjoin the device from Azure AD and rejoin
+
+
+0x80090029
+TPM is not set up.
+Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**.
+
+
+0x80090031
+NTE_AUTHENTICATION_IGNORED
+Reboot the device. If the error occurs again after rebooting, [reset the TPM]( https://go.microsoft.com/fwlink/p/?LinkId=619969) or run [Clear-TPM](https://go.microsoft.com/fwlink/p/?LinkId=629650)
+
+
+0x80090035
+Policy requires TPM and the device does not have TPM.
+Change the Windows Hello for Business policy to not require a TPM.
+
+
+0x801C0003
+User is not authorized to enroll
+Check if the user has permission to perform the operation.
+
+
+0x801C000E
+Registration quota reached
+
+
+0x801C000F
+Operation successful but the device requires a reboot
+Reboot the device.
+
+
+0x801C0010
+The AIK certificate is not valid or trusted
+Sign out and then sign in again.
+
+
+0x801C0011
+The attestation statement of the transport key is invalid
+Sign out and then sign in again.
+
+
+0x801C0012
+Discovery request is not in a valid format
+Sign out and then sign in again.
+
+
+0x801C0015
+The device is required to be joined to an Active Directory domain
+Join the device to an Active Directory domain.
+
+
+0x801C0016
+The federation provider configuration is empty
+Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the file is not empty.
+
+
+0x801C0017
+The federation provider domain is empty
+Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the FPDOMAINNAME element is not empty.
+
+
+0x801C0018
+The federation provider client configuration URL is empty
+Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the CLIENTCONFIG element contains a valid URL.
+
+
+0x801C03E9
+Server response message is invalid
+Sign out and then sign in again.
+
+
+0x801C03EA
+Server failed to authorize user or device.
+Check if the token is valid and user has permission to register Windows Hello for Business keys.
+
+
+0x801C03EB
+Server response http status is not valid
+Sign out and then sign in again.
+
+
+0x801C03EC
+Unhandled exception from server.
+sign out and then sign in again.
+
+
+0x801C03ED
+Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.
+
+
+0x801C03EE
+Attestation failed
+Sign out and then sign in again.
+
+
+0x801C03EF
+The AIK certificate is no longer valid
+Sign out and then sign in again.
+
+
+0x801C044D
+Unable to obtain user token
+Sign out and then sign in again. Check network and credentials.
+
+
+
+0x801C044E
+Failed to receive user creds input
+Sign out and then sign in again.
+
+
+
+## MDM policy settings for Windows Hello for Business
+
+The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=692070).
+
+>[!IMPORTANT]
+>Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
+
+
+
+Policy
+Options
+
+
+Use Windows Hello for Business
+
+
+
+
+
+Use a hardware security device
+
+
+
+
+
+Use biometrics
+
+
+
+
+
+PIN Complexity
+Require digits
+
+
+
+
+Require lowercase letters
+
+
+
+
+Maximum PIN length
+
+
+
+
+Minimum PIN length
+
+
+
+
+Expiration
+
+
+
+
+History
+
+
+
+
+Require special characters
+
+
+
+
+Require uppercase letters
+
+
+
+
+Phone Sign-in
+
+
+
+
+
+
+
+>[!NOTE]
+> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.
+
+## Prerequisites
+
+To deploy Windows Hello for Business, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Windows Hello for Business build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Azure Active Directory to deploy Windows Hello for Business in your network.
+
+You’ll need this software to set Windows Hello for Business policies in your enterprise.
+
+
+Policy
+Scope
+Default
+Options
+
+
+UsePassportForWork
+
+ Device
+True
+
+
+
+
+RequireSecurityDevice
+
+ Device
+False
+
+
+
+
+Biometrics
+
+
+Device
+False
+
+
+
+
+
+
+Device
+Not configured
+
+
+
+
+PINComplexity
+
+
+Digits
+Device or user
+2
+
+
+
+
+Lowercase letters
+Device or user
+1
+
+
+
+
+Maximum PIN length
+Device or user
+127
+
+
+
+
+Minimum PIN length
+Device or user
+4
+
+
+
+
+Expiration
+Device or user
+0
+
+
+
+
+History
+Device or user
+0
+
+
+
+
+Special characters
+Device or user
+1
+
+
+
+
+Uppercase letters
+Device or user
+1
+
+
+
+
+Remote
+
+
+Device or user
+False
+
+
+
+
+
+Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business.
+
+Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
+
+
+
+
+## How to use Windows Hello for Business with Azure Active Directory
+
+There are three scenarios for using Windows Hello for Business in Azure AD–only organizations:
+
+- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone.
+- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered.
+- **Organizations that have subscribed to Azure AD Premium** have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device.
+
+If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager Technical Preview, Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates.
+
+
+
+## Related topics
+
+- [Windows Hello for Business](hello-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/hello-prepare-people-to-use.md b/windows/keep-secure/hello-prepare-people-to-use.md
new file mode 100644
index 0000000000..41c323ada1
--- /dev/null
+++ b/windows/keep-secure/hello-prepare-people-to-use.md
@@ -0,0 +1,109 @@
+---
+title: Prepare people to use Windows Hello (Windows 10)
+description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
+ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
+keywords: identity, PIN, biometric, Hello
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Prepare people to use Windows Hello
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
+
+After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
+
+Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello.
+
+People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
+
+## On devices owned by the organization
+
+When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
+
+
+
+Next, they select a way to connect. Tell the people in your enterprise which option they should pick here.
+
+
+
+They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
+
+After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
+
+## On personal devices
+
+People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials.
+
+People can go to **Settings** > **Accounts** > **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device.
+
+## Using Windows Hello and biometrics
+
+If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
+
+
+
+## Use a phone to sign in to a PC or VPN
+
+If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials.
+
+> [!NOTE]
+> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
+
+**Prerequisites:**
+
+- Both phone and PC must be running Windows 10, version 1607.
+- The PC must be running Windows 10 Pro, Enterprise, or Education
+- Both phone and PC must have Bluetooth.
+- The **Microsoft Authenticator** app must be installed on the phone.
+- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
+- The phone must be joined to Azure AD or have a work account added.
+- The VPN configuration profile must use certificate-based authentication.
+
+**Pair the PC and phone**
+
+1. On the PC, go to **Settings** > **Devices** > **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing.
+
+ 
+
+2. On the phone, go to **Settings** > **Devices** > **Bluetooth**, and verify that the passcode for **Pairing accessory** on the phone matches the passcode displayed on the PC, and then tap **ok**.
+
+ 
+
+3. On the PC, tap **Yes**.
+
+**Sign in to PC using the phone**
+
+
+1. Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to.
+ > **Note: ** The first time that you run the **Microsoft Authenticator** app, you must add an account.
+
+ 
+
+2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.
+
+**Connect to VPN**
+
+You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect.
+
+## Related topics
+
+- [Windows Hello for Business](hello-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+
diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/keep-secure/hello-why-pin-is-better-than-password.md
new file mode 100644
index 0000000000..e79b6e5348
--- /dev/null
+++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md
@@ -0,0 +1,83 @@
+---
+title: Why a PIN is better than a password (Windows 10)
+description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
+ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
+keywords: pin, security, password, hello
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Why a PIN is better than a password
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
+On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
+
+
+## PIN is tied to the device
+One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
+
+Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
+
+## PIN is local to the device
+
+A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
+When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
+
+>[!NOTE]
+>For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-identity-verification.md#benefits-of-windows-hello).
+
+## PIN is backed by hardware
+
+The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
+
+User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
+
+The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
+
+## PIN can be complex
+
+The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
+
+## What if someone steals the laptop or phone?
+
+To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device.
+You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins.
+
+**Configure BitLocker without TPM**
+1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
+
+ **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup**
+
+2. In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.**
+3. Go to Control Panel > **System and Security** > **BitLocker Drive Encryption** and select the operating system drive to protect.
+**Set account lockout threshold**
+1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
+
+ **Computer Configuration** >**Windows Settings** ?**Security Settings** >**Account Policies** > **Account Lockout Policy** > **Account lockout threshold**
+
+2. Set the number of invalid logon attempts to allow, and then click OK.
+
+## Why do you need a PIN to use biometrics?
+Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
+
+If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.
+
+## Related topics
+
+- [Windows Hello for Business](hello-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/how-to-configure-security-policy-settings.md b/windows/keep-secure/how-to-configure-security-policy-settings.md
index 6a307acac3..2731ce37e8 100644
--- a/windows/keep-secure/how-to-configure-security-policy-settings.md
+++ b/windows/keep-secure/how-to-configure-security-policy-settings.md
@@ -31,9 +31,9 @@ When a local setting is inaccessible, it indicates that a GPO currently controls
3. When you find the policy setting in the details pane, double-click the security policy that you want to modify.
4. Modify the security policy setting, and then click **OK**.
- **Note**
- - Some security policy settings require that the device be restarted before the setting takes effect.
- - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+ > [!NOTE]
+ > - Some security policy settings require that the device be restarted before the setting takes effect.
+ > - Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
## To configure a security policy setting using the Local Group Policy Editor console
@@ -48,11 +48,13 @@ You must have the appropriate permissions to install and use the Microsoft Manag
4. In the details pane, double-click the security policy setting that you want to modify.
- >**Note:** If this security policy has not yet been defined, select the **Define these policy settings** check box.
+ > [!NOTE]
+ > If this security policy has not yet been defined, select the **Define these policy settings** check box.
5. Modify the security policy setting, and then click **OK**.
->**Note:** If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.
+> [!NOTE]
+> If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.
## To configure a setting for a domain controller
@@ -65,13 +67,15 @@ The following procedure describes how to configure a security policy setting for
- Click **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
3. In the details pane, double-click the security policy that you want to modify.
- >**Note** If this security policy has not yet been defined, select the **Define these policy settings** check box.
+
+ > [!NOTE]
+ > If this security policy has not yet been defined, select the **Define these policy settings** check box.
4. Modify the security policy setting, and then click **OK**.
-**Important**
-- Always test a newly created policy in a test organizational unit before you apply it to your network.
-- When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
+> [!IMPORTANT]
+> - Always test a newly created policy in a test organizational unit before you apply it to your network.
+> - When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
## Related topics
diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
new file mode 100644
index 0000000000..cbe59766be
--- /dev/null
+++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -0,0 +1,94 @@
+---
+title: How to use single sign on (SSO) over VPN and Wi-Fi connections (Windows 10)
+description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: justinha
+---
+
+# How to use single sign on (SSO) over VPN and Wi-Fi connections
+
+This topic explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The scenario is:
+
+- You connect to a network using Wi-Fi or VPN.
+- You want to use the credentials that you use for the WiFi or VPN authentication to also authenticate requests to access a domain resource you are connecting to, without being prompted for your domain credentials separately.
+
+For example, you want to connect to a corporate network and access an internal website that requires Windows integrated authentication.
+
+At a high level, the way this works is that the credentials that are used for the connection authentication are put in Credential Manager as the default credentials for the logon session.
+Credential Manager is a place where credentials in the OS are can be stored for specific domain resources based on the targetname of the resource.
+For VPN, the VPN stack saves its credential as the session default.
+For WiFi, EAP does it.
+
+The credentials are put in Credential Manager as a "\*Session" credential.
+A "\*Session" credential implies that it is valid for the current user session.
+The credentials are also cleaned up when the WiFi or VPN connection is disconnected.
+
+When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
+For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations).
+
+The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
+If the app is not UWP, it does not matter.
+But if it is a UWP app, it will look at the device capability for Enterprise Authentication.
+If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
+This behavior helps prevent credentials from being misused by untrusted third parties.
+
+## Intranet zone
+
+For the Intranet zone, by default it only allows single-label names, such as Http://finance.
+If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](https://msdn.microsoft.com/library/windows/hardware/dn904964.aspx).
+
+### Setting the ZoneMap
+
+The ZoneMap is controlled using a registry that can be set through MDM.
+By default, single-label names such as http://finance are already in the intranet zone.
+For multi-label names, such as http://finance.net, the ZoneMap needs to be updated.
+
+## MDM Policy
+
+OMA URI example:
+
+./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/`
+
+
+
+Windows Hello for Business mode
+Azure AD
+Active Directory (AD) on-premises (available with production release of Windows Server 2016)
+Azure AD/AD hybrid (available with production release of Windows Server 2016)
+
+
+Key-based authentication
+Azure AD subscription
+
+
+
+
+
+Certificate-based authentication
+
+
+
+
-
-
-## MDM policy settings for Windows Hello for Business
-
-The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=692070).
-
->[!IMPORTANT]
->Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
-
-
-
-Policy
-Options
-
-
-Use Windows Hello for Business
-
-
-
-
-
-Use a hardware security device
-
-
-
-
-
-Use biometrics
-
-
-
-
-
-PIN Complexity
-Require digits
-
-
-
-
-Require lowercase letters
-
-
-
-
-Maximum PIN length
-
-
-
-
-Minimum PIN length
-
-
-
-
-Expiration
-
-
-
-
-History
-
-
-
-
-Require special characters
-
-
-
-
-Require uppercase letters
-
-
-
-
-Phone Sign-in
-
-
-
-
-
-
-
->[!NOTE]
-> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.
-
-## Prerequisites
-
-You’ll need this software to set Windows Hello for Business policies in your enterprise.
-
-
-Policy
-Scope
-Default
-Options
-
-
-UsePassportForWork
-
- Device
-True
-
-
-
-
-RequireSecurityDevice
-
- Device
-False
-
-
-
-
-Biometrics
-
-
-Device
-False
-
-
-
-
-
-
-Device
-Not configured
-
-
-
-
-PINComplexity
-
-
-Digits
-Device or user
-2
-
-
-
-
-Lowercase letters
-Device or user
-1
-
-
-
-
-Maximum PIN length
-Device or user
-127
-
-
-
-
-Minimum PIN length
-Device or user
-4
-
-
-
-
-Expiration
-Device or user
-0
-
-
-
-
-History
-Device or user
-0
-
-
-
-
-Special characters
-Device or user
-1
-
-
-
-
-Uppercase letters
-Device or user
-1
-
-
-
-
-Remote
-
-
-Device or user
-False
-
-
-
-
-
-Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business.
-
-[Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-passport) provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
-
-[Learn more about enabling Windows Hello for Business in an Azure AD/AD hybrid environment.](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-passport-deployment)
-
-
-## Windows Hello for BYOD
-
-Windows Hello can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Windows Hello PIN for unlocking the device and used this PIN for access to work resources.
-
-The PIN is managed using the same Windows Hello for Business policies that you can use to manage Windows Hello for Business on organization-owned devices. The PIN can also be managed using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](https://go.microsoft.com/fwlink/p/?LinkID=623244).
-
-## Related topics
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
-
diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
index 3e1ed57822..db8b674702 100644
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+localizationpriority: high
author: brianlic-msft
---
# Keep Windows 10 secure
@@ -15,21 +16,21 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
## In this section
| Topic | Description |
-| - | - |
+| --- | --- |
| [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
-| [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
-| [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
+| [Windows Hello for Business](hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
| [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
-| [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
+| [Device Guard deployment guide](device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
+| [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
-| [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
+| [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. |
| [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. |
| [VPN technical guide](vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
-| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
-| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
+| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. For example, learn about AppLocker, BitLocker, and Security auditing. |
+| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Review technology overviews that help you understand Windows 10 security technologies in the context of the enterprise. |
| [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
## Related topics
diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
index 013355ffa6..813dde388c 100644
--- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
@@ -27,7 +27,7 @@ With TPM 1.2 and Windows 10, version 1507 or 1511, you can also take the followi
- [Turn on or turn off the TPM](#turn-on-or-turn-off)
-This topic also provides information about [using the TPM cmdlets](#use-the-tpm-cmdlets).
+For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
## About TPM initialization and ownership
@@ -150,11 +150,7 @@ If you want to stop using the services that are provided by the TPM, you can use
## Use the TPM cmdlets
-If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
-
-`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets`
-
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
## Related topics
diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
index 0177def043..5af92d1bcf 100644
--- a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
+++ b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
@@ -34,8 +34,6 @@ If this policy is disabled, the full name of the last user to log on is displaye
Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy.
-Depending on your security policy, you might also want to enable the [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md) policy, which will prevent the Windows operating system from displaying the logon name when the session is locked or started.
-
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
diff --git a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
index c0577fe786..3712b6aed0 100644
--- a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
+++ b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
@@ -75,5 +75,5 @@ Another Windows 10 feature that employs VBS is [Credential Guard](credential-gua
Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats.
-In addition to the client-side enabling of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. For more information, see the [Additional mitigations](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard#additional-mitigations) section in “Protect derived domain credentials with Credential Guard.”
+
diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
index eec0ada5a4..bc3e8df73d 100644
--- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -21,12 +21,12 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting telemetry in your network.
+The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting sensor data in your network.
Use the Machines view in these two main scenarios:
- **During onboarding**
- - During the onboarding process, the Machines view gradually gets populated with endpoints as they begin to report telemetry. Use this view to track your onboarded endpoints as they appear. Use the available features to sort and filer to see which endpoints have most recently reported telemetry, or download the complete endpoint list as a CSV file for offline analysis.
+ - During the onboarding process, the Machines view gradually gets populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they appear. Use the available features to sort and filer to see which endpoints have most recently reported sensor data, or download the complete endpoint list as a CSV file for offline analysis.
- **Day-to-day work**
- The **Machines view** enables you to identify machines that are most at risk in a glance. High-risk machines are those with the greatest number and highest-severity alerts. By sorting the machines by risk, you'll be able to identify the most vulnerable machines and take action on them.
@@ -34,7 +34,7 @@ The Machines view contains the following columns:
- **Machine name** - the name or GUID of the machine
- **Domain** - the domain the machine belongs to
-- **Last seen** - when the machine last reported telemetry
+- **Last seen** - when the machine last reported sensor data
- **Internal IP** - the local internal Internet Protocol (IP) address of the machine
- **Active Alerts** - the number of alerts reported by the machine by severity
- **Active malware detections** - the number of active malware detections reported by the machine
@@ -59,7 +59,7 @@ You can filter the view by the following time periods:
- 6 months
> [!NOTE]
-> When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period.
+> When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported sensor data within the last 24-hour period.
The threat category filter lets you filter the view by the following categories:
@@ -94,7 +94,7 @@ When you investigate a specific machine, you'll see:
- **Alerts related to this machine**
- **Machine timeline**
-The machine details, IP, and reporting sections display some attributes of the machine such as its name, domain, OS, IP address, and how long it's been reporting telemetry to the Windows Defender ATP service.
+The machine details, IP, and reporting sections display some attributes of the machine such as its name, domain, OS, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service.
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date that the alert was detected, a short description of the alert, the alert's severity, the alert's threat category, and the alert's status in the queue.
diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md
index c95ae45458..39aaeb8dc5 100644
--- a/windows/keep-secure/limitations-with-wip.md
+++ b/windows/keep-secure/limitations-with-wip.md
@@ -25,8 +25,8 @@ This table provides info about the most common problems you might encounter whil
-
-
-
-Windows Hello for Business mode
-Azure AD
-Azure AD/AD hybrid (available with production release of Windows Server 2016)
-
-
-Key-based authentication
-[Azure AD subscription](https://docs.microsoft.com/azure/active-directory/active-directory-howto-tenant)
-
-
-
-
-Certificate-based authentication
-
-
-
Workaround
-
Enterprise data on USB drives is tied to the device it was protected on.
- Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
+ Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.
+ If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running the latest build from the Windows Insider Program.
Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
@@ -67,7 +67,7 @@ This table provides info about the most common problems you might encounter whil
Redirected folders with Client Side Caching are not compatible with WIP.
Apps might encounter access errors while attempting to read a cached, offline file.
- Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
+ Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045).
+You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
index d91d7bbb04..81cef9cc41 100644
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerMS
-localizationpriority: high
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification
---
# Manage identity verification using Windows Hello for Business
@@ -16,112 +16,3 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
-In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
-
->[!NOTE]
-> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
-
-Hello addresses the following problems with passwords:
-- Passwords can be difficult to remember, and users often reuse passwords on multiple sites.
-- Server breaches can expose symmetric network credentials.
-- Passwords can be subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
-- Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
-
-Hello lets users authenticate to:
-- a Microsoft account.
-- an Active Directory account.
-- a Microsoft Azure Active Directory (Azure AD) account.
-- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication
-
-After an initial two-step verification of the user during enrollment, Hello is set up on the user's device and the user is asked to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Hello to authenticate users and help them to access protected resources and services.
-
-As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization.
-
-
-
-
-## The difference between Windows Hello and Windows Hello for Business
-
-- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Hello provides a layer of protection by being unique to the device on which it is set up, however it is not backed by certificate-based authentication.
-
-- Windows Hello for Business, which is configured by Group Policy or MDM policy, uses key-based or certificate-based authentication.
-
-- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication. Support for key-based or certificate-based authentication is on the roadmap for a future release.
-
-## Benefits of Windows Hello
-
-Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
-
-You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
-
-In Windows 10, Hello replaces passwords. The Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software.
-
-
-
-Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
-
-Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
-
-Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
-
-> [!NOTE]
-> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
-
-## How Windows Hello for Business works: key points
-
-- Hello credentials are based on certificate or asymmetrical key pair. Hello credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
-- Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Hello's public key to a user account during the registration step.
-- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
-- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
-- Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process.
-- PIN entry and biometric gesture both trigger Windows 10 to verify the user's identity and authenticate using Hello keys or certificates.
-- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
-- Certificate private keys can be protected by the Hello container and the Hello gesture.
-
-
-## Comparing key-based and certificate-based authentication
-
-Windows Hello for Business can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Hello.
-
-Hardware-based keys, which are generated by TPM, provide the highest level of assurance. When the TPM is manufactured, an Endorsement Key (EK) certificate is resident in the TPM. This EK certificate creates a root trust for all other keys that are generated on this TPM.
-EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Hello keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
-
-When identity providers such as Active Directory or Azure AD enroll a certificate in Hello, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
-
-## Learn more
-
-[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
-
-[What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](https://go.microsoft.com/fwlink/p/?LinkId=708533)
-
-[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024)
-
-[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995)
-
-[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
-
-[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
-
-[Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778)
-
-[Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928)
-
-## Related topics
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
-
diff --git a/windows/keep-secure/manage-tpm-commands.md b/windows/keep-secure/manage-tpm-commands.md
index 71f3c2229e..c95d30f931 100644
--- a/windows/keep-secure/manage-tpm-commands.md
+++ b/windows/keep-secure/manage-tpm-commands.md
@@ -77,11 +77,7 @@ The following procedures describe how to manage the TPM command lists. You must
## Use the TPM cmdlets
-If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
-
-`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets`
-
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
## Related topics
diff --git a/windows/keep-secure/manage-tpm-lockout.md b/windows/keep-secure/manage-tpm-lockout.md
index 3f5e966157..76b1ee2bae 100644
--- a/windows/keep-secure/manage-tpm-lockout.md
+++ b/windows/keep-secure/manage-tpm-lockout.md
@@ -78,11 +78,7 @@ For information about mitigating dictionary attacks that use the lockout setting
## Use the TPM cmdlets
-If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
-
-**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets**
-
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
## Related topics
diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md
index 128f1ffe29..fffa48b90f 100644
--- a/windows/keep-secure/microsoft-passport-and-password-changes.md
+++ b/windows/keep-secure/microsoft-passport-and-password-changes.md
@@ -7,48 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
-localizationpriority: high
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-and-password-changes
---
# Windows Hello and password changes
-**Applies to**
-- Windows 10
-- Windows 10 Mobile
-
-When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
-
-## Example
-
-Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account.
-Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
-
-Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
-> **Note:** This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
-
-## How to update Hello after you change your password on another device
-
-1. When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
-2. Click **OK.**
-3. Click **Sign-in options**.
-4. Click the **Password** button.
-5. Sign in with new password.
-6. The next time that you sign in, you can select **Sign-in options** and then select **PIN** to resume using your PIN.
-
-## Related topics
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
-
\ No newline at end of file
diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
index 3e4fbfbedf..aa890d3cd9 100644
--- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
+++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
@@ -8,232 +8,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
-localizationpriority: high
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-errors-during-pin-creation
---
# Windows Hello errors during PIN creation
-**Applies to**
-- Windows 10
-- Windows 10 Mobile
-
-When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
-
-## Where is the error code?
-
-The following image shows an example of an error during **Create a PIN**.
-
-
-
-## Error mitigations
-
-When a user encounters an error when creating the work PIN, advise the user to try the following steps. Many errors can be mitigated by one of these steps.
-1. Try to create the PIN again. Some errors are transient and resolve themselves.
-2. Sign out, sign in, and try to create the PIN again.
-3. Reboot the device and then try to create the PIN again.
-4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a desktop PC, go to **Settings** > **System** > **About** and select **Disconnect from organization**. To unjoin a device running Windows 10 Mobile, you must [reset the device](https://go.microsoft.com/fwlink/p/?LinkId=715697).
-5. On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](https://go.microsoft.com/fwlink/p/?LinkId=715697).
-If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
-
-
-
-
-
-
-## Errors with unknown mitigation
-For errors listed in this table, contact Microsoft Support for assistance.
-
-| Hex | Cause |
-|-------------|-------------------------------------------------------------------------------------------------------|
-| 0x80072f0c | Unknown |
-| 0x80070057 | Invalid parameter or argument is passed |
-| 0x80090027 | Caller provided wrong parameter. If third-party code receives this error they must change their code. |
-| 0x8009002D | NTE\_INTERNAL\_ERROR |
-| 0x80090020 | NTE\_FAIL |
-| 0x801C0001 | ADRS server response is not in valid format |
-| 0x801C0002 | Server failed to authenticate the user |
-| 0x801C0006 | Unhandled exception from server |
-| 0x801C000C | Discovery failed |
-| 0x801C001B | The device certificate is not found |
-| 0x801C000B | Redirection is needed and redirected location is not a well known server |
-| 0x801C0019 | The federation provider client configuration is empty |
-| 0x801C001A | The DRS endpoint in the federation provider client configuration is empty |
-| 0x801C0013 | Tenant ID is not found in the token |
-| 0x801C0014 | User SID is not found in the token |
-| 0x801C03F1 | There is no UPN in the token |
-| 0x801C03F0 | There is no key registered for the user |
-| 0x801C03F1 | There is no UPN in the token |
-| 0x801C044C | There is no core window for the current thread |
-
-
-## Related topics
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md
index d2737b9630..faa85f4206 100644
--- a/windows/keep-secure/microsoft-passport-guide.md
+++ b/windows/keep-secure/microsoft-passport-guide.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: security
author: challum
-localizationpriority: high
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification
---
# Microsoft Passport guide
@@ -16,383 +16,3 @@ localizationpriority: high
**Applies to**
- Windows 10
-This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10, version 1511 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout.
-
->[!NOTE]
->For information about Windows Hello for Business in Windows 10, version 1607, see [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md).
-
-A fundamental assumption about information security is that a system can identify who’s using it. In identifying a user, the system can decide whether the user has identified himself or herself appropriately (a process known as authentication), and then determine what that properly authenticated user should be able to do (a process known as authorization). The overwhelming majority of computer systems deployed throughout the world depend on user credentials as a means of making authentication and authorization decisions, and that means that these systems depend on reusable, user-created passwords for their security. The oft-cited maxim that authentication can involve “something you know, something you have, or something you are” neatly highlights the issue: a reusable password is an authentication factor all by itself, so anyone who knows the password can impersonate the user who owns it.
-
-## Problems with traditional credentials
-
-Ever since the mid-1960s, when Fernando Corbató and his team at the Massachusetts Institute of Technology championed the introduction of the password, users and administrators have had to deal with the use of passwords for user authentication and authorization. Over time, the state of the art for password storage and use has advanced somewhat (with password hashing and salt being the two most noticeable improvements), but we’re still faced with two serious problems: passwords are easy to clone and easy to steal. Implementation faults may render them insecure, and users have a hard time balancing convenience and security.
-
-**Credential theft**
-
-The biggest risk of passwords is simple: an attacker can steal them easily. Every place a password is entered, processed, or stored is vulnerable. For example, an attacker can steal a collection of passwords or hashes from an authentication server by eavesdropping on network traffic to an application server, by implanting malware in an application or on a device, by logging user keystrokes on a device, or by watching to see which characters a user types — and those are just the most common attack methods. One can enact more exotic attacks to steal one or many passwords.
-
-The risk of theft is driven by the fact that the authentication factor the password represents is the password. Without additional authentication factors, the system assumes that anyone who knows the password is the authorized user.
-Another, related risk is that of credential replay, in which an attacker captures a valid credential by eavesdropping on an insecure network, and then replays it later to impersonate a valid user. Most authentication protocols (including Kerberos and OAuth) protect against replay attacks by including a time stamp in the credential exchange process, but that protects the token that the authentication system issues, not the password that the user provides to get the ticket in the first place.
-
-**Credential reuse**
-
-The common approach of using an email address as the user name makes a bad problem worse. An attacker who successfully recovers a user name–password pair from a compromised system can then try that same pair on other systems. Surprisingly often, this tactic works to allow attackers to springboard from a compromised system into other systems. The use of email addresses as user names leads to other problems, too, which we’ll explore later in this guide.
-
-###
-
-**Trading convenience for complexity**
-Most security is a tradeoff between convenience and security: the more secure a system is, the less convenient it will typically be for users. Although system designers and implementers have a broad range of tools to make their systems more secure, users get a vote, too. When users perceive that a security mechanism gets in the way of what they want to do, they often look for ways to circumvent it. This behavior leads to an arms race of sorts, with users adopting strategies to minimize the effort required to comply with their organization’s password policies as those policies evolve.
-
-**Password complexity**
-
-If the major risk to passwords is that an attacker might guess them through brute-force analysis, it might seem reasonable to require users to include a broader character set in their passwords or make them longer, but as a practical matter, password length and complexity requirements have two negative side effects. First, they encourage password reuse. Estimates by [Herley, Florêncio, and van Oorschot](https://go.microsoft.com/fwlink/p/?LinkId=627392) calculate that the stronger a password is, the more likely it is to be reused. Because users put more effort into the creation and memorization of strong passwords, they are much more likely to use the same credential across multiple systems. Second, adding length or character set complexity to passwords does not necessarily make them more difficult to guess. For example, P@ssw0rd1 is nine characters long and includes uppercase and lowercase letters, numbers, and special characters, but it’s easily guessed by many of the common password-cracking tools now available on the Internet. These tools can attack passwords by using a pre-computed dictionary of common passwords, or they can start with a base word such as password, and then apply common character substitutions. A completely random eight-character password might therefore actually take longer to guess than P@ssw0rd123.
-
-**Password expiration**
-
-Because a reusable password is the only authentication factor in password-based systems, designers have attempted to reduce the risk of credential theft and reuse. One common method for doing so is the use of limited-lifetime passwords. Some systems allow for passwords that can be used only once, but by far the more common approach is to make passwords expire after a certain period. Limiting the useful lifetime of a password puts a cap on how long a stolen password will be useful to an attacker. This practice helps protect against cases where a long-lived password is stolen, held, and used for a long time, but it also harkens back to the time when password cracking was impractical for everyone except nation state-level attackers. A smart attacker would attempt to steal passwords rather than crack them because of the time penalty associated with password cracking.
-The widespread availability of commodity password-cracking tools and the massive computing power available through mechanisms such as GPU-powered crackers or distributed cloud-based cracking tools has reversed this equation so that it is often more effective for an attacker to crack a password than to try to steal it. In addition, the widespread availability of self-service [password-reset mechanisms](#password-reset) means that an attacker needs only a short window of time during which the password is valid to change the password and thus reset the validity period. Relatively few enterprise networks provide self-service password-reset mechanisms, but they are common for Internet services. In addition, many users use the secure credential store on Windows and Mac OS X systems to store valuable passwords for Internet services, so an attacker who can compromise the operating system password may be able to obtain a treasure trove of other service passwords at no cost.
-Finally, overly short timelines for password expiration can tempt users to make small changes in their passwords at each expiration period — for example, moving from password123 to password456 to password789. This approach reduces the work necessary to crack the password, especially if the attacker knows any of the old passwords.
-
-###
-
-**Password-reset mechanisms**
-
-To let users better manage their own passwords, some services provide a way for users to change their own password. Some implementations require users to log on with their current password, while others allow users to select the **Forgot my password** option, which sends an email to the user’s registered email address. The problem with these mechanisms is that many of them are implemented such that an attacker can exploit them. For example, an attacker who can successfully guess or steal a user’s email password can merrily request password resets for all of the victim’s other accounts, because the reset emails go to the compromised account. For this reason, most enterprise networks are configured so that only administrators can reset user passwords; for example, Active Directory supports the use of a **Password must be changed on next logon** flag so that after the administrator resets a password, the user can reset the password only after providing the administrator-set password. Some mobile device management (MDM) systems support similar functionality for mobile devices.
-
-**User password carelessness**
-
-An insidious problem makes these design and implementation weaknesses worse: some users just aren’t careful with their passwords. They write them down in insecure locations, choose easy-to-guess passwords, take minimal (if any) precautions against malware, or even give their passwords to other people. These users aren’t necessarily careless because they don’t care; they want to get things done, and overly stringent password length or expiration policies or too many passwords hinders them.
-
-**Mitigate credential risks**
-
-Given the issues described so far, it might seem obvious that reusable passwords are a security hazard. The argument is simple: adding authentication factors reduces the value of the passwords themselves, because even a successful password theft won’t let an attacker log on to a system unless he or she also has the associated additional factors. Unfortunately, this simple argument has many practical complications. Security and operating system vendors have tried to solve the problems that reusable credentials pose for decades — with limited success.
-The most obvious mitigation to the risks reusable passwords pose is to add one or more authentication factors. At different times over the past 30 years, different vendors have attempted to solve this problem by calling for the use of biometric identifiers (including fingerprints, iris and retina scans, and hand geometry), software-based and hardware-based tokens, physical and virtual smart cards, and voice or Short Message Service (SMS) authentication through the user’s mobile phone. A detailed description of each of these authenticators and its pros and cons is outside the scope of this guide, but no matter which authentication method you choose, core challenges have limited adoption of all Multi-Factor Authentication (MFA) solutions, including:
-- **Infrastructure complexity and cost.** Any system that requires the user to provide an additional authentication factor at the point of access has to have a way to collect that information. Although it’s possible to retrofit fielded hardware by adding fingerprint readers, eye scanners, smart card readers, and so on, few enterprises have been willing to take on the cost and support burden required to do so.
-- **Lack of standardization.** Although Microsoft included operating system–level smart card support as part of the Windows Vista operating system, smart card and reader vendors were free to continue to ship their own drivers, as were manufacturers of other authentication devices. Lack of standardization led to both application and support fragmentation, which means that it wasn’t always possible to mix and match solutions within an enterprise, even when the manufacturers of those solutions advertised them as being compatible.
-- **Backward compatibility.** Retrofitting already-deployed operating systems and applications to use MFA has proven an extremely difficult task. Nearly three years after its release, Microsoft Office 2013 is finally getting support for MFA. The vast majority of both commercial and custom line-of-business (LOB) applications will never be retrofitted to take advantage of any authentication system other than what the underlying operating system provides.
-- **User inconvenience.** Solutions that require users to obtain, keep track of, and use physical tokens are often unpopular. If users have to have a particular token for remote access or other scenarios that are supposed to make things more convenient, they tend to become quickly dissatisfied with the burden of keeping up with an additional device. This pushback is multiplied for solutions that have to be attached to computers (such as smart card readers) because such solutions introduce problems of portability, driver support, and operating system and application integration.
-- **Device compatibility.** Not every hardware form factor supports every authentication method. For example, despite occasional feeble efforts from vendors, no market for mobile phone-compatible smart card readers ever emerged.
-So when Microsoft first implemented smart cards as an authenticator for remote network access, one key limitation was that employees could log on only from desktop or laptop computers that had smart card readers. Any authentication method that relies on additional hardware or software may run into this problem. For example, several popular “soft token” systems rely on mobile apps that run on a limited number of mobile hardware platforms.
-Another pesky problem has to do with institutional knowledge and maturity. Strong authentication systems are complex. They have lots of components, and they can be expensive to design, maintain, and operate. For some enterprises, the additional cost and overhead of maintaining an in-house public key infrastructure (PKI) to issue smart cards or the burden of managing add-on devices exceeds the value they perceive in having stronger authentication. This is a special case of the common problem that financial institutions face: if the cost of fraud reduction is higher than the cost of the fraud itself, it’s hard to justify the economics of better fraud-prevention measures.
-
-## Solve credential problems
-
-Solving the problems that passwords pose is tricky. Tightening password policies alone won’t do it: users may just recycle, share, or write down passwords. Although user education is critical for authentication security, education alone doesn’t eliminate the problem, either.
-
-As you’ve seen, additional authenticators won’t necessarily help if the new authentication systems add complexity, cost, or fragility. In Windows 10, Microsoft addresses these problems with two new technologies: Windows Hello and Microsoft Passport. Working together, these technologies help increase both security and user convenience:
-- Microsoft Passport replaces passwords with strong two-factor authentication (2FA) by verifying existing credentials and by creating a device-specific credential that a user gesture (either biometric or PIN-based) protects. This combination effectively replaces physical and virtual smart cards as well as reusable passwords for logon and access control.
-- Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras, and fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ Microsoft Passport credentials.
-
-## What is Windows Hello?
-
-Windows Hello is the name Microsoft has given to the new biometric sign-in system built into Windows 10. Because it is built directly into the operating system, Windows Hello allows face or fingerprint identification to unlock users’ devices. Authentication happens when the user supplies his or her unique biometric identifier to access the device-specific Microsoft Passport credentials, which means that an attacker who steals the device can’t log on to it unless that attacker has the PIN. The Windows secure credential store protects biometric data on the device. By using Windows Hello to unlock a device, the authorized user gains access to all of his or her Windows experience, apps, data, websites, and services.
-
-The Windows Hello authenticator is known as a Hello. A Hello is unique to the combination of an individual device and a specific user; it doesn’t roam among devices, isn’t shared with a server, and cannot easily be extracted from a device. If multiple users share a device, each user gets a unique Hello for that device. You can think of a Hello as a token you can use to unlock (or release) a stored credential: the Hello itself doesn’t authenticate you to an app or service, but it releases credentials that can.
-
-At the launch of Windows 10, the operating system supported three Hello types:
-- **PIN.** Before you can use Windows Hello to enable biometrics on a device, you must choose a PIN as your initial Hello gesture. After you’ve set a PIN, you can add biometric gestures if you want to. You can always use the PIN gesture to release your credentials, so you can still unlock and use your device even if you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
-- **Facial recognition.** This type uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
-- **Fingerprint recognition.** This type uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10.
-Biometric data used to implement these Hello gestures is stored securely on the local device only. It doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. Breaches that expose biometrics collected and stored for other uses (such as fingerprints collected and stored for law enforcement or background check purposes) don’t pose a significant threat: an attacker who steals biometrics literally has only a template of the identifier, and that template cannot easily be converted to a form that the attacker can present to a biometric sensor. The data path for Windows Hello-compatible sensors is resistant to tampering, too, which further reduces the chance that an attacker will be able to successfully inject faked biometric data. In addition, before an attacker can even attempt to inject data into the sensor pipeline, that attacker must gain physical access to the device — and an attacker who can do that can mount several other, less difficult attacks.
-Windows Hello offers several major benefits. First, when combined with Microsoft Passport, it effectively solves the problems of credential theft and sharing. Because an attacker must obtain both the device and the selected biometric, it is much more difficult to gain access without the user’s knowledge. Second, the use of biometrics means that users benefit from having a simple authenticator that’s always with them: there’s nothing to forget, lose, or leave behind. Instead of worrying about memorizing long, complex passwords, users can take advantage of a convenient, secure method for signing in to all their Windows devices. Finally, in many cases, there’s nothing additional to deploy or manage to use Windows Hello (although Microsoft Passport may require additional deployment, as described later in this guide). Windows Hello support is built directly into the operating system, and users or enterprises can add compatible biometric devices to provide biometric gesture recognition, either as part of a coordinated rollout or as individual users or groups decide to add the necessary sensors. Windows Hello is part of Windows, so no additional deployment is required to start using it.
-
-## What is Microsoft Passport?
-
-Windows Hello provides a robust way for a device to recognize an individual user; that addresses the first part of the path between a user and a requested service or data item. After the device has recognized the user, however, it still must authenticate the user before deciding whether to grant access to a requested resource. Microsoft Passport provides strong 2FA, fully integrated into Windows, that replaces reusable passwords with the combination of a specific device and a Hello or PIN. Microsoft Passport isn’t just a replacement for traditional 2FA systems, though. It’s conceptually similar to smart cards: authentication is performed by using cryptographic primitives instead of string comparisons, and the user’s key material is secure inside tamper-resistant hardware. Microsoft Passport doesn’t require the extra infrastructure components required for smart card deployment, either. In particular, you don’t need a PKI if you don’t currently have one. Microsoft Passport combines the major advantage of smart cards — deployment flexibility for virtual smart cards and robust security for physical smart cards — without any of their drawbacks.
-
-Microsoft Passport offers four significant advantages over the current state of Windows authentication: it’s more flexible, it’s based on industry standards, it’s an effective risk mitigator, and it’s ready for the enterprise. Let’s look at each of these advantages in more detail.
-
-**It’s flexible**
-
-Microsoft Passport offers unprecedented flexibility. Although the format and use of reusable passwords are fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with both biometric identifiers and PINs, so users’ credentials are protected even on devices that don’t support biometrics. Users can even use their phone to release their credentials instead of a PIN or biometric gesture on the main device. Microsoft Passport seamlessly takes advantage of the hardware of the devices in use; as users upgrade to newer devices, Microsoft Passport is ready to use them, and organizations can upgrade existing devices by adding biometric sensors where appropriate.
-Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who don’t currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section).
-
-**It’s standardized**
-
-Both software vendors and enterprise customers have come to realize that proprietary identity and authentication systems are a dead end. The future lies with open, interoperable systems that allow secure authentication across a variety of devices, LOBs, and external applications and websites. To this end, a group of industry players formed the Fast IDentity Online Alliance (FIDO), a nonprofit organization intended to address the lack of interoperability among strong authentication devices as well as the problems users face when they have to create and remember multiple user names and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plug ins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security. For more information, see the [FIDO Alliance website](https://go.microsoft.com/fwlink/p/?LinkId=627393).
-
-In 2013, Microsoft joined the FIDO Alliance. FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong passwordless authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: passwordless (known as the Universal Authentication Framework \[UAF\]) and 2nd Factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals to combine the best parts of the U2F and UAF FIDO 1.0 standards. Microsoft is actively contributing to the proposals, and Windows 10 is a reference implementation of these concepts. In addition to supporting those protocols, the Windows implementation covers other aspects of the end-to-end experience that the specification does not cover, including user interface to, storage of, and protection for users’ device keys and the tokens issued after authentication; supporting administrator policies; and providing deployment tools. Microsoft expects to continue working with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike.
-
-**It’s effective**
-
-Microsoft Passport effectively mitigates two major security risks. First, by eliminating the use of reusable passwords for logon, it reduces the risk that a user’s credential will be copied or reused. On devices that support the Trusted Platform Module (TPM) standard, user key material can be stored in the user device’s TPM, which makes it more difficult for an attacker to capture the key material and reuse it. For devices that lack TPM, Microsoft Passport can encrypt and store credential data in software, but administrators can disable this feature to force a “TPM or nothing” deployment.
-Second, because Microsoft Passport doesn’t depend on a single, centralized server, the risk of compromise from a breach of that server is removed. Although an attacker could theoretically compromise a single device, there’s no single point of attack that an intruder can leverage to gain widespread access to the environment.
-
-**It’s enterprise-ready**
-
-Every edition of Windows 10 includes Microsoft Passport functionality for individual use; enterprise and personal users can take advantage of Microsoft Passport to protect their individual credentials with compatible applications and services. In addition, enterprises whose users are running Windows 10 Professional and Windows 10 Enterprise have the ability to use Microsoft Passport for Work, an enhanced version of Microsoft Passport that includes the ability to centrally manage Microsoft Passport settings for PIN strength and biometric use through Group Policy Objects (GPOs).
-
-## How Microsoft Passport works
-
-To use Microsoft Passport to sign in with an identity provider (IDP), a user needs a configured device, which means that the Microsoft Passport life cycle starts when you configure a device for Microsoft Passport use. When the device is set up, its user can use the device to authenticate to services. In this section, we explore how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
-
-**Register a new user or device**
-
-A goal of Microsoft Passport is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Microsoft Passport as registration.
-> **Note:** This is separate from the organizational configuration required to use Microsoft Passport with Active Directory or Azure AD; that configuration is discussed later in this guide. This configuration must be completed before users can begin to register.
-
-The registration process works like this:
-1. The user configures an account on the device.
- This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as logging on with a Microsoft account. Logging on with a Microsoft account on a Windows 10 device automatically sets up Microsoft Passport on the device; users don’t have to do anything extra to enable it.
-2. To log on using that account, the user has to enter the existing credentials for it.
- The IDP that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends.
-3. When the user has provided the proof to the IDP, the user enables PIN authentication (Figure 1).
- The PIN will be associated with this particular credential.
-
- 
-
- Figure 1. Set up a PIN in the **Account Settings** control panel item
-
- When the user sets the PIN, it becomes usable immediately (Figure 2).
-
- 
-
- Figure 2. When set, the PIN is immediately usable
-
-Remember that Microsoft Passport depends on pairing a device and a credential, so the PIN chosen is associated only with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Microsoft Passport supports are:
-
-- A user who upgrades from the Windows 8.1 operating system will log on by using his or her existing enterprise password. That triggers MFA from the IDP side; after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
-- A user who typically uses a smart card to log on will be prompted to set up a PIN the first time he or she logs on to a Windows 10 device the user has not previously logged on to.
-- A user who typically uses a virtual smart card to log on will be prompted to set up a PIN the first time he or she logs on to a Windows 10 device the user has not previously logged on to.
-
-When the user has completed this process, Microsoft Passport generates a new public–private key pair on the device. The TPM generates and stores this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. The protector key securely wraps the authentication key for a specific container. Each container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys (each of which is associated with a unique gesture). Microsoft Passport also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
-
-At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely log on to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future logons can then use either the PIN or the registered biometric gestures.
-
-**What’s a container?**
-
-You’ll often hear the term *container* used in reference to MDM solutions. Microsoft Passport uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 supports two containers: the default container holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and the enterprise container holds credentials associated with a workplace or school account.
-
-The enterprise container exists only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. The enterprise container contains only key data for Active Directory or Azure AD. If the enterprise container is present on a device, it’s unlocked separately from the default container, which maintains separation of data and access across personal and enterprise credentials and services. For example, a user who uses a biometric gesture to log on to a managed computer can separately unlock his or her personal container by entering a PIN when logging on to make a purchase from a website.
-These containers are logically separate. Organizations don’t have any control over the credentials users store in the default container, and applications that authenticate against services in the default container can’t use credentials from the enterprise container. However, individual Windows applications can use the Microsoft Passport application programming interfaces (APIs) to request access to credentials as appropriate, so that both consumer and LOB applications can be enhanced to take advantage of Microsoft Passport.
-
-It’s important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Microsoft Passport stores are protected without the creation of actual containers or folders.
-
-Each container actually contains a set of keys, some of which are used to protect other keys. Figure 3 shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
-
-
-
-Figure 3. Each logical container holds one or more sets of keys
-
-Containers can contain several types of key material:
-
-- An *authentication key*, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
-- *Virtual smart card keys* are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked.
-- *Secure/Multipurpose Internet Mail Extensions (S/MIME) keys and certificates*, which a certification authority (CA) generates. The keys associated with the user’s S/MIME certificate can be stored in a Microsoft Passport container so they’re available to the user whenever the container is unlocked.
-- The *IDP key*. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container as illustrated in Figure 3. For certificate-based Microsoft Passport for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this machine to the IDP. IDP keys are typically long lived but could have a shorter lifetime than the authentication key.
-Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
-- The IDP key pair can be associated with an enterprise CA through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](https://go.microsoft.com/fwlink/p/?LinkId=733947). In this case, Microsoft Passport requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Microsoft Passport in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
-- The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Microsoft Passport in environments that don’t have or need a PKI.
-
-**How keys are protected**
-
-Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Microsoft Passport for Work implementation takes advantage of onboard TPM hardware to generate, store, and process keys. However, Microsoft Passport and Microsoft Passport for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the machine can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
-
-Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
-
-**Authentication**
-
-When a user wants to access protected key material — perhaps to use an Internet site that requires a logon or to access protected resources on a corporate intranet — the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called *releasing the key*. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. On a personal device that’s connected to an organizational network, users will use their personal PIN or biometric to release the key; on a device joined to an on-premises or Azure AD domain, they will use the organizational PIN.
-This process unlocks the protector key for the primary container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
-
-These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or log on to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Microsoft Passport layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Windows Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
-
-The actual authentication process works like this:
-
-1. The client sends an empty authentication request to the IDP. (This is merely for the handshake process.)
-2. The IDP returns a challenge, known as a *nonce*.
-3. The device signs the nonce with the appropriate private key.
-4. The device returns the original nonce, the signed nonce, and the ID of the key used to sign the nonce.
-5. The IDP fetches the public key that the key ID specified, uses it to verify the signature on the nonce, and verifies that the nonce the device returned matches the original.
-6. If all the checks in step 5 succeed, the IDP returns two data items: a symmetric key, which is encrypted with the device’s public key, and a security token, which is encrypted with the symmetric key.
-7. The device uses its private key to decrypt the symmetric key, and then uses that symmetric key to decrypt the token.
-8. The device makes a normal authentication request for the original resource, presenting the token from the IDP as its proof of authentication.
-
-When the IDP validates the signature, it is verifying that the request came from the specified user and device. The private key specific to the device signs the nonce, which allows the IDP to determine the identity of the requesting user and device so that it can apply policies for content access based on user, device type, or both together. For example, an IDP could allow access to one set of resources only from mobile devices and a different set from desktop devices.
-
-Remote unlock, which is planned for a future release of Windows 10, builds on these scenarios by enabling seamless remote authentication from a mobile device as a second factor. For example, suppose that you’re visiting another office at your company and you need to borrow a computer there temporarily, but you don’t want to potentially expose your credentials to capture. Rather than type in your credentials, you can click **other user** on the Windows 10 logon screen, type your user name, pick the tile for remote authentication, and use an app on your phone, which you already unlocked by using its built-in facial-recognition sensors. The phone and computer are paired and handshake via Bluetooth, you type your authentication PIN on the phone, and the computer gets confirmation of your identity from the IDP. All this happens without typing a password anywhere or typing your PIN on the PC.
-
-**The infrastructure**
-
-Microsoft Passport depends on having compatible IDPs available to it. As of this writing, that means you have four deployment possibilities:
-- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to devices. You can use NDES to register devices directly, Microsoft System Center Configuration Manager Technical Preview or later for on-premises environments, or Microsoft Intune where it’s available to manage mobile device participation in Microsoft Passport.
-- You can configure Windows Server 2016 Technical Preview domain controllers to act as IDPs for Microsoft Passport. In this mode, the Windows Server 2016 Technical Preview domain controllers act as IDPs alongside any existing Windows Server 2008 R2 or later domain controllers. There is no requirement to replace all existing domain controllers, merely to introduce at least one Windows Server 2016 Technical Preview domain controller per Active Directory site and update the forest Active Directory Domain Services (AD DS) schema to Windows Server 2016 Technical Preview.
-- The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Microsoft Passport IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 Technical Preview domain controllers required.
-- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides.
-In addition to the IDP, Microsoft Passport requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the [Deployment requirements](#deployreq) section of this document.
-
-## Design a Microsoft Passport for Work deployment
-
-Microsoft Passport for Work is designed for integration with your existing and future directory infrastructure and device deployments, but this flexibility means there are many considerations to think about when you design your deployment. Some of these decisions are technical, while others are organizational or even political. In this section, we examine the key points where you have to make decisions about how to implement Microsoft Passport for Work. Remember, individual devices can use the individual version of Microsoft Passport without any infrastructure changes on your part. Microsoft Passport for Work allows you to control and centrally manage user authentication and device registration. To use the initial version of Microsoft Passport for Work, each device must have an Azure AD identity, so automatic registration of devices provides a means both to register new devices and to apply optional policies to manage Microsoft Passport for Work.
-
-**One deployment strategy**
-
-Different organizations will necessarily take different approaches to the deployment of Microsoft Passport depending on their capabilities and needs, but there is only one strategy: deploy Microsoft Passport for Work throughout the organization to get maximum protection for the maximum number of devices and resources. Organizations can take one of three basic routes to accomplish that strategy:
-
-- Deploy Microsoft Passport for Work everywhere according to whatever device or user deployment strategy works best for the organization.
-- Deploy Microsoft Passport for Work first to high-value or high-risk targets, by using conditional access policies to restrict access to key resources only to users who hold strong authentication credentials.
-- Blend Microsoft Passport for Work into an existing multi-factor environment, using it as an additional form of strong authentication alongside physical or virtual smart cards.
-
-**Deploy Microsoft Passport for Work everywhere**
-
-In this approach, you deploy Microsoft Passport throughout the organization in a coordinated rollout. In some ways, this method is similar to any other desktop deployment project; the only real difference is that you must already have the Microsoft Passport infrastructure in place to support device registration before you can start using Microsoft Passport on Windows 10 devices.
-
-> **Note:** You can still upgrade to Windows 10 or add new Windows 10 devices without changing your infrastructure. You just can’t use Microsoft Passport for Work on a device until the device joins Azure AD and receives the appropriate policy.
-
-The major benefit of this approach is that it provides uniform protection for all parts of the organization. Sophisticated attackers have shown a great deal of skill in breaching large organizations by identifying weak points in their security, including users and systems that don’t have high-value information but that can be exploited to get it. Applying consistent protection across every device that an attacker could use to access enterprise data is excellent protection against these types of attacks.
-
-The downside to this approach is its complexity. Smaller organizations may find that managing the rollout of a new operating system across all devices is beyond the scope of their experience and capability. For these organizations, users can self-upgrade, and new users may end up with Windows 10 because they get new devices when they join. Larger organizations, especially those that are highly decentralized or have operations across many physical sites, may have more deployment knowledge and resources but face the challenge of coordinating rollout efforts across a larger user base and footprint.
-
-For more information about desktop deployment of Windows 10, visit the [Windows 10 TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=626581).
-
-One key aspect of this deployment strategy is how to get Windows 10 in users’ hands. Because different organizations have wildly differing strategies to refresh hardware and software, there’s no one-size-fits-all strategy. For example, some organizations pursue a coordinated strategy that puts new desktop operating systems in users’ hands every 2–3 years on existing hardware, supplementing with new hardware only where and when required. Others tend to replace hardware and deploy whatever version of the Windows client operating system ships on the purchased devices. In both cases, there are typically separate deployment cycles for servers and server operating systems, and the desktop and server cycles may or may not be coordinated.
-
-In addition to the issue of Windows 10 deployment to users, you must consider how and when (or if!) you’ll deploy biometric devices to users. Because Windows Hello can take advantage of multiple biometric identifiers, you have a flexible range of device options, which includes the purchase of new devices that incorporate your selected biometric, seeding select users with appropriate devices, rollout of biometric devices as part of a scheduled hardware refresh and using PIN gestures until users get devices, or relying on remote unlock as a second authentication factor.
-
-**Deploy to high-value or high-risk targets**
-
-This strategy takes into account the fact that in most networks, not every asset is equally protected or equally valuable. There are two ways to think about this. One is that you can focus on protecting the users and services that are most at risk of compromise because of their value. Examples include sensitive internal databases or the user accounts of your key executives. The other option is that you can focus on areas of your network that are the most vulnerable, such as users who travel frequently (and thus run a higher risk of lost or stolen devices or drive-by credential theft). Either way, the strategy is the same: selectively and quickly deploy Microsoft Passport to protect specific people and resources. For example, you might issue new Windows 10 devices with biometric sensors to all users who need access to a sensitive internal database, and then deploy the minimum required infrastructure to support Microsoft Passport–secured access to that database for those users.
-
-One of the key design capabilities of Microsoft Passport for Work is that it supports Bring Your Own Device (BYOD) environments by allowing users to register their own devices with the organizational IDP (whether on premises, hybrid, or Azure AD). You may be able to take advantage of this capability to quickly deploy Microsoft Passport to protect your most vulnerable users or assets, ideally by using biometrics as an additional safety measure for the most valuable potential targets.
-
-**Blend Microsoft Passport with your infrastructure**
-
-Organizations that have already invested in smart cards, virtual smart cards, or token-based systems can still benefit from Microsoft Passport. Of those organizations, many use physical tokens and smart cards to protect only critical assets because of the expense and complexity of their deployment. Microsoft Passport offers a valuable complement to these systems because it protects users who currently rely on reusable credentials; protection of all users’ credentials is an important step toward blunting attacks that seek to leverage compromise of any credential into a widespread breach. This approach also gives you a great deal of flexibility in scheduling and deployment.
-Some enterprises have deployed multi-use smart cards that provide building-access control, access to copiers or other office equipment, stored value for lunchroom purchases, remote network access, and other services. Deployment of Microsoft Passport in such environments doesn’t prevent you from continuing to use smart cards for these services. You can leave the existing smart card infrastructure in place for its existing use cases, and then register desktop and mobile devices in Microsoft Passport and use Microsoft Passport to secure access to network and Internet resources. This approach requires a more complicated infrastructure and a greater degree of organizational maturity because it requires you to link your existing PKI with an enrollment service and Microsoft Passport itself.
-
-Smart cards can act as a useful complement to Microsoft Passport in another important way: to bootstrap the initial logon for Microsoft Passport registration. When a user registers with Microsoft Passport on a device, part of that registration process requires a conventional logon. Rather than using a traditional password, organizations that have previously deployed the necessary infrastructure for smart cards or virtual smart cards can allow their users to register new devices by logging on with a smart card or virtual smart card. After the user has proved his or her identity to the organizational IDP with the smart card, the user can set up a PIN and proceed to use Microsoft Passport for future logons.
-
-**Choose a rollout method**
-
-Which rollout method you choose depends on several factors:
-
-- **How many devices you need to deploy.** This number has a huge influence on your overall deployment. A global rollout for 75,000 users has different requirements than a phased rollout for groups of 200–300 users in different cities.
-- **How quickly you want to deploy Microsoft Passport for Work protection.** This is a classic cost–benefit tradeoff. You have to balance the security benefits of Microsoft Passport for Work against the cost and time required to deploy it broadly, and different organizations may make entirely different decisions depending on how they rate the costs and benefits involved. Getting the broadest possible Microsoft Passport coverage in the shortest time possible maximizes security benefits.
-- **The type of devices you want to deploy.** Windows device manufacturers are aggressively introducing new devices optimized for Windows 10, leading to the possibility that you might deploy Microsoft Passport first on newly purchased tablets and portable devices, and then deploy it on the desktop as part of your normal refresh cycle.
-- **What your current infrastructure looks like.** The individual version of Microsoft Passport doesn’t require changes to your Active Directory environment, but to support Microsoft Passport for Work, you may need a compatible MDM system. Depending on the size and composition of your network, mobile enrollment and management services deployment may be a major project in its own right.
-- **Your plans for the cloud.** If you’re already planning a move to the cloud, Azure AD eases the process of Microsoft Passport for Work deployment, because you can use Azure AD as an IDP alongside your existing on-premises AD DS setup without making significant changes to your on-premises environment. Future versions of Microsoft Passport for Work will support the ability to simultaneously register devices that are already members of an on-premises AD DS domain in an Azure AD partition so that they use Microsoft Passport for Work from the cloud. Hybrid deployments that combine AD DS with Azure AD give you the ability to keep machine authentication and policy management against your local AD DS domain while providing the full set of Microsoft Passport for Work services (and Microsoft Office 365 integration) for your users. If you plan to use on-premises AD DS only, then the design and configuration of your on-premises environment will dictate what kind of changes you may need to make.
-
-###
-
-**Deployment requirements**
-
-Table 1 lists six scenarios for deployment of Microsoft Passport for Work in the enterprise. The initial release of Windows 10 supports Azure AD–only scenarios, with support for on-premises Microsoft Passport for Work planned for a future release (see the [Roadmap](#roadmap) section for more details).
-
-Depending on the scenario you choose, Microsoft Passport for Work deployment may require four elements:
-
-- An organizational IDP that supports Microsoft Passport. This can be Azure AD or a set of on-premises Windows Server 2016 Technical Preview domain controllers in an existing AD DS forest. Using Azure AD means that you can establish hybrid identity management, with Azure AD acting as a Microsoft Passport IDP and your on-premises AD DS environment handling older authentication requests. This approach provides all the flexibility of Azure AD with the ability to manage computer accounts and devices running older versions of Windows and on-premises applications such as Microsoft Exchange Server or Microsoft SharePoint.
-- If you use certificates, an MDM system is required to allow policy management of Microsoft Passport for Work. Domain-joined devices in on-premises or hybrid deployments require Configuration Manager Technical Preview or later. Deployments with Azure AD must use either Intune or a compatible non-Microsoft MDM solution.
-- On-premises deployments require the forthcoming Active Directory Federation Services (AD FS) version included in Windows Server 2016 Technical Preview to support provisioning of Microsoft Passport credentials to devices. In this scenario, AD FS takes the place of the provisioning that Azure AD performs in cloud-based deployments.
-- Certificate-based Microsoft Passport deployments require a PKI, including CAs that are accessible to all devices that need to register. If you deploy certificate-based Microsoft Passport on premises, you don’t actually need Windows Server 2016 Technical Preview domain controllers. On-premises deployments do need to apply the Windows Server 2016 Technical Preview AD DS schema and have the Windows Server 2016 Technical Preview version of AD FS installed.
-Table 1. Deployment requirements for Microsoft Passport
-
-
-
-
-
-
-Hex
-Cause
-Mitigation
-
-
-
-0x801C044D
-Authorization token does not contain device ID
-Unjoin the device from Azure AD and rejoin
-
-
-0x80090036
-User cancelled an interactive dialog
-User will be asked to try again
-
-
-0x80090011
-The container or key was not found
-Unjoin the device from Azure AD and rejoin
-
-
-0x8009000F
-The container or key already exists
-Unjoin the device from Azure AD and rejoin
-
-
-0x8009002A
-NTE_NO_MEMORY
-Close programs which are taking up memory and try again.
-
- 0x80090005
-NTE_BAD_DATA
-Unjoin the device from Azure AD and rejoin
-
-
-0x80090029
-TPM is not set up.
-Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**.
-
-
-0x80090031
-NTE_AUTHENTICATION_IGNORED
-Reboot the device. If the error occurs again after rebooting, [reset the TPM]( https://go.microsoft.com/fwlink/p/?LinkId=619969) or run [Clear-TPM](https://go.microsoft.com/fwlink/p/?LinkId=629650)
-
-
-0x80090035
-Policy requires TPM and the device does not have TPM.
-Change the Passport policy to not require a TPM.
-
-
-0x801C0003
-User is not authorized to enroll
-Check if the user has permission to perform the operation.
-
-
-0x801C000E
-Registration quota reached
-
-
-0x801C000F
-Operation successful but the device requires a reboot
-Reboot the device.
-
-
-0x801C0010
-The AIK certificate is not valid or trusted
-Sign out and then sign in again.
-
-
-0x801C0011
-The attestation statement of the transport key is invalid
-Sign out and then sign in again.
-
-
-0x801C0012
-Discovery request is not in a valid format
-Sign out and then sign in again.
-
-
-0x801C0015
-The device is required to be joined to an Active Directory domain
-Join the device to an Active Directory domain.
-
-
-0x801C0016
-The federation provider configuration is empty
-Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the file is not empty.
-
-
-0x801C0017
-The federation provider domain is empty
-Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the FPDOMAINNAME element is not empty.
-
-
-0x801C0018
-The federation provider client configuration URL is empty
-Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the CLIENTCONFIG element contains a valid URL.
-
-
-0x801C03E9
-Server response message is invalid
-Sign out and then sign in again.
-
-
-0x801C03EA
-Server failed to authorize user or device.
-Check if the token is valid and user has permission to register Passport keys.
-
-
-0x801C03EB
-Server response http status is not valid
-Sign out and then sign in again.
-
-
-0x801C03EC
-Unhandled exception from server.
-sign out and then sign in again.
-
-
-0x801C03ED
-Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.
-
-
-0x801C03EE
-Attestation failed
-Sign out and then sign in again.
-
-
-0x801C03EF
-The AIK certificate is no longer valid
-Sign out and then sign in again.
-
-
-0x801C044D
-Unable to obtain user token
-Sign out and then sign in again. Check network and credentials.
-
-
-
-0x801C044E
-Failed to receive user creds input
-Sign out and then sign in again.
-
-
-
-Note that the current release of Windows 10 supports the Azure AD–only (RTM) and hybrid scenarios (RTM + November Update). Microsoft provides the forward-looking guidance in Table 1 to help organizations prepare their environments for planned future releases of Microsoft Passport for Work capabilities.
-
-**Select policy settings**
-
-Another key aspect of Microsoft Passport for Work deployment involves the choice of which policy settings to apply to the enterprise. There are two parts to this choice: which policies you deploy to manage Microsoft Passport itself and which policies you deploy to control device management and registration. A complete guide to selecting effective policies is beyond the scope of this guide, but one example reference that may be useful is [Mobile device management capabilities in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733877).
-
-## Implement Microsoft Passport
-
-No configuration is necessary to use Windows Hello or Microsoft Passport on individual user devices if those users just want to protect their personal credentials. Unless the enterprise disables the feature, users have the option to use Microsoft Passport for their personal credentials, even on devices that are registered with an organizational IDP. However, when you make Microsoft Passport for Work available for users, you must add the necessary components to your infrastructure, as described earlier in the [Deployment requirements](#deployreq) section.
-
-**How to use Azure AD**
-
-There are three scenarios for using Microsoft Passport for Work in Azure AD–only organizations:
-- **Organizations that use the version of Azure AD included with Office 365.** For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network (Figure 4), the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone.
-- **Organizations that use the free tier of Azure AD.** For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the **Connect to work or school** dialog box shown in Figure 4 will be automatically registered with Microsoft Passport for Work support, but previously joined devices will not be registered.
-- **Organizations that have subscribed to Azure AD Premium have access to the full set of Azure AD MDM features.** These features include controls to manage Microsoft Passport for Work. You can set policies to disable or force the use of Microsoft Passport for Work, require the use of a TPM, and control the length and strength of PINs set on the device.
-
- 
-
- Figure 4: Joining an Office 365 organization automatically registers the device in Azure AD
-
-**Enable device registration**
-
-If you want to use Microsoft Passport at Work with certificates, you’ll need a device registration system. That means that you set up Configuration Manager Technical Preview, Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Microsoft Passport for Work with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates.
-**Set Microsoft Passport policies**
-
-As of the initial release of Windows 10, you can control the following settings for the use of Microsoft Passport for Work:
-- You can require that Microsoft Passport be available only on devices that have TPM security hardware, which means the device uses TPM 1.2 or TPM 2.0.
-- You can enable Microsoft Passport with a hardware-preferred option, which means that keys will be generated on TPM 1.2 or TPM 2.0 when available and by software when TPM is not available.
-- You can configure whether certificate-based Microsoft Passport is available to users. You do this as part of the device deployment process, not through a separately applied policy.
-- You can define the complexity and length of the PIN that users generate at registration.
-- You can control whether Windows Hello use is enabled in your organization.
-
-These settings can be implemented through GPOs or through configuration service providers (CSPs) in MDM systems, so you have a familiar and flexible set of tools you can use to apply them to exactly the users you want. (For details about the Microsoft Passport for Work CSP, see [PassportForWork CSP)](https://go.microsoft.com/fwlink/p/?LinkId=733876).
-
-## Roadmap
-
-The speed at which Universal Windows apps and services evolve means that the traditional design-build-test-release cycle for Windows is too slow to meet customers’ needs. As part of the release of Windows 10, Microsoft is changing how it engineers, tests, and distributes Windows. Rather than large, monolithic releases every 3–5 years, the Windows engineering team is committed to smaller, more frequent releases to get new features and services into the marketplace more rapidly without sacrificing security, quality, or usability. This model has worked well in Office 365 and the Xbox ecosystem.
-
-In the Windows 10 initial release, Microsoft supports the following Microsoft Passport and Windows Hello features:
-
-- Biometric authentication, with fingerprint readers that use the Windows fingerprint reader framework
-- Facial-recognition capability on devices that have compatible IR-capable cameras
-- Microsoft Passport for personal credentials on individually owned and corporate-managed devices
-- Microsoft Passport for Work support for organizations that have cloud-only Azure AD deployments
-- Group Policy settings to control Microsoft Passport PIN length and complexity
-
-In future releases of Windows 10, we plan to add support for additional features:
-- Additional biometric identifier types, including iris recognition
-- Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
-- Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
-- TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake)
-- Group Policy and MDM settings to control Microsoft Passport PIN length and complexity
-
-In the November 2015 release, Microsoft supports the following Microsoft Passport and Windows Hello features:
-
-- Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
-
-- Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
-
-In future releases of Windows 10, we plan to add support for additional features:
-
-- Key-based and certificate-based Microsoft Passport for Work credentials for on-premises AD deployments
-
-- TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake)
-
-In the longer term, Microsoft will continue to improve on and expand the features of both Microsoft Passport and Windows Hello to cover additional customer requirements for manageability and security. We also are working with the FIDO Alliance and a variety of third parties to encourage adoption of Microsoft Passport by both web and LOB application developers.
-
-
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index a3358422cb..7125de6f76 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -24,6 +24,8 @@ localizationpriority: high
There are some minimum requirements for onboarding your network and endpoints.
## Minimum requirements
+You must be on Windows 10, version 1607 at a minimum.
+For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy).
### Network and data storage and configuration requirements
When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter.
@@ -33,6 +35,7 @@ When you run the onboarding wizard for the first time, you must choose where you
- Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data.
### Endpoint hardware and software requirements
+
The Windows Defender ATP agent only supports the following editions of Windows 10:
- Windows 10 Enterprise
@@ -61,7 +64,7 @@ Before you configure endpoints, the telemetry and diagnostics service must be en
### Telemetry and diagnostics settings
You must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization.
-By default, this service is enabled, but it's good practice to check to ensure that you'll get telemetry from them.
+By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
diff --git a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
index 0f98929851..b686486083 100644
--- a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
@@ -17,7 +17,22 @@ ms.sitesec: library
- Windows 10, version 1607
- Windows Server 2016
-Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.
+Windows 10 includes Group Policy-configurable “Process Mitigation Options” that add advanced protections against memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. For example, malware might attempt to use buffer overruns to inject malicious executable code into memory, but Process Mitigation Options can prevent the running of the malicious code.
+
+> [!IMPORTANT]
+> We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with your organization’s required apps.
+
+The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure additional protections. The types of process mitigations are:
+
+- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](windows-10-security-guide.md#data-execution-prevention).
+
+- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements.
+
+- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](windows-10-security-guide.md#address-space-layout-randomization).
+
+ To find additional ASLR protections in the table below, look for `IMAGES` or `ASLR`.
+
+The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings.
**To modify Process Mitigation Options**
diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/keep-secure/overview-create-wip-policy.md
index 1cb74baed7..c3ad6bf5a3 100644
--- a/windows/keep-secure/overview-create-wip-policy.md
+++ b/windows/keep-secure/overview-create-wip-policy.md
@@ -24,6 +24,7 @@ Microsoft Intune and System Center Configuration Manager helps you create and de
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
+|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md
index 25c9b86986..f516f124d0 100644
--- a/windows/keep-secure/passport-event-300.md
+++ b/windows/keep-secure/passport-event-300.md
@@ -8,47 +8,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
-localizationpriority: high
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-event-300
---
# Event ID 300 - Windows Hello successfully created
-**Applies to**
-- Windows 10
-- Windows 10 Mobile
-
-This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
-
-## Event details
-| | |
-|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Product:** | Windows 10 operating system |
-| **ID:** | 300 |
-| **Source:** | Microsoft Azure Device Registration Service |
-| **Version:** | 10 |
-| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da.
-Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
-
-## Resolve
-
-This is a normal condition. No further action is required.
-
-## Related topics
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
index f6419c6ced..9594deccca 100644
--- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
+++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
@@ -8,109 +8,10 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
-localizationpriority: high
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-prepare-people-to-use
---
# Prepare people to use Windows Hello
-**Applies to**
-- Windows 10
-- Windows 10 Mobile
-
-When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
-
-After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
-
-Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello.
-
-People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
-
-## On devices owned by the organization
-
-When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
-
-
-
-Next, they select a way to connect. Tell the people in your enterprise which option they should pick here.
-
-
-
-They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
-
-After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
-
-## On personal devices
-
-People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials.
-
-People can go to **Settings** > **Accounts** > **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device.
-
-## Using Windows Hello and biometrics
-
-If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
-
-
-
-## Use a phone to sign in to a PC or VPN
-
-If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials.
-
-> [!NOTE]
-> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
-
-**Prerequisites:**
-
-- Both phone and PC must be running Windows 10, version 1607.
-- The PC must be running Windows 10 Pro, Enterprise, or Education
-- Both phone and PC must have Bluetooth.
-- The **Microsoft Authenticator** app must be installed on the phone.
-- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
-- The phone must be joined to Azure AD or have a work account added.
-- The VPN configuration profile must use certificate-based authentication.
-
-**Pair the PC and phone**
-
-1. On the PC, go to **Settings** > **Devices** > **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing.
-
- 
-
-2. On the phone, go to **Settings** > **Devices** > **Bluetooth**, and verify that the passcode for **Pairing accessory** on the phone matches the passcode displayed on the PC, and then tap **ok**.
-
- 
-
-3. On the PC, tap **Yes**.
-
-**Sign in to PC using the phone**
-
-
-1. Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to.
- > **Note: ** The first time that you run the **Microsoft Authenticator** app, you must add an account.
-
- 
-
-2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.
-
-**Connect to VPN**
-
-You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect.
-
-## Related topics
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
-[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-
-[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-
-[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-
-[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-
-[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-
-[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
diff --git a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index aaf71600b1..f1f62943e3 100644
--- a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -33,8 +33,7 @@ Windows PowerShell or the manage-bde command line interface is the preferred met
>**Note:** Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption.
-For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde –WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This occurs because Full
-Encryption requires an end marker for the volume and dynamically expanding VHDs do not have a static end of volume marker.
+For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
### Active Directory-based protector
@@ -57,28 +56,22 @@ BitLocker encryption is available for disks before or after addition to a cluste
1. Install the BitLocker Drive Encryption feature if it is not already installed.
2. Ensure the disk is formatted NTFS and has a drive letter assigned to it.
-3. Enable BitLocker on the volume using your choice of protector. A password protector is used in the Windows PowerShell script example below.
-
- ``` syntax
- Enable-BitLocker E: -PasswordProtector -Password $pw
- ```
-
-4. Identify the name of the cluster with Windows PowerShell.
+3. Identify the name of the cluster with Windows PowerShell.
``` syntax
Get-Cluster
```
-5. Add an **ADAccountOrGroup**protector to the volume using the cluster name using a command such as:
+4. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
``` syntax
- Add-BitLockerProtector E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
+ Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
```
- >**Warning:** You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster.
+ >**Warning:** You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
-6. Repeat steps 1-6 for each disk in the cluster.
-7. Add the volume(s) to the cluster.
+5. Repeat the preceding steps for each disk in the cluster.
+6. Add the volume(s) to the cluster.
### Turning on BitLocker for a clustered disk using Windows PowerShell
@@ -97,28 +90,26 @@ When the cluster service owns a disk resource already, it needs to be set into m
Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource
```
-4. Enable BitLocker on the volume using your choice of protector. A password protector is used in the example below.
-
- ``` syntax
- Enable-BitLocker E: -PasswordProtector -Password $pw
- ```
-
-5. Identify the name of the cluster with Windows PowerShell
+4. Identify the name of the cluster with Windows PowerShell.
``` syntax
Get-Cluster
```
-6. Add an **ADAccountOrGroup** protector with the Cluster Name Object (CNO) to the volume using a command such as:
+5. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
``` syntax
- Add-BitLockerProtector E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
-
+ Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
```
- >**Warning:** You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster.
+ >**Warning:** You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
-7. Repeat steps 1-6 for each disk in the cluster.
-8. Add the volume(s) to the cluster
+6. Use **Resume-ClusterResource** to take the physical disk resource back out of maintenance mode:
+
+ ``` syntax
+ Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource
+ ```
+
+7. Repeat the preceding steps for each disk in the cluster.
### Adding BitLocker encrypted volumes to a cluster using manage-bde
diff --git a/windows/keep-secure/recommended-network-definitions-for-wip.md b/windows/keep-secure/recommended-network-definitions-for-wip.md
new file mode 100644
index 0000000000..bf9a7ac22a
--- /dev/null
+++ b/windows/keep-secure/recommended-network-definitions-for-wip.md
@@ -0,0 +1,39 @@
+---
+title: Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP) (Windows 10)
+description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Neutral Resources, WIP and Enterprise Cloud Resources
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+---
+
+# Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
+
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+
+We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
+
+## Recommended Enterprise Cloud Resources
+This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization.
+
+|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
-
-
-
-Microsoft Passport method
-Azure AD
-Hybrid Active Directory
-
-
-Key-based
-
-
-
-
-Certificate-based
-
-
(Replace "contoso" with your domain name(s) |
+|-----------------------------|---------------------------------------------------------------------|
+|Office 365 for Business |
|
+|Yammer |
|
+|Microsoft Dynamics |contoso.crm.dynamics.com |
+|Visual Studio Online |contoso.visualstudio.com |
+|Power BI |contoso.powerbi.com |
+
+## Recommended Neutral Resources
+We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP).
+
+
\ No newline at end of file
diff --git a/windows/keep-secure/remote-credential-guard.md b/windows/keep-secure/remote-credential-guard.md
index a8f2f46557..0ae8111073 100644
--- a/windows/keep-secure/remote-credential-guard.md
+++ b/windows/keep-secure/remote-credential-guard.md
@@ -34,7 +34,7 @@ Use the following table to compare different security options for Remote Desktop
> [!NOTE]
> This table compares different options than are shown in the previous diagram.
-| Remote Desktop with Credential Delegation | Remote Credential Guard | Restricted Admin mode |
+| Remote Desktop | Remote Credential Guard | Restricted Admin mode |
|---|---|---|
| Protection: Provides **less protection** than other modes in this table. | Protection: Provides **moderate protection**, compared to other modes in this table. | Protection: Provides **the most protection** of the modes in this table. However, it also requires you to be in the local “Administrators” group on the remote computer. |
| Version support: The remote computer can be running **any operating system that supports credential delegation**, which was introduced in Windows Vista. | Version support: The remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | Version support: The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 13754fa34c..49742f17e8 100644
--- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -26,7 +26,7 @@ This article describes the following:
The information in this article is intended for IT professionals, and provides a foundation for [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
->**Note** If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
+>**Note** If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
## Hardware, firmware, and software requirements for Device Guard
@@ -42,19 +42,19 @@ You can deploy Device Guard in phases, and plan these phases in relation to the
The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
> **Notes**
-> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
-> - For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
+> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
## Device Guard requirements for baseline protections
|Baseline Protections - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
- VT-x (Intel) or
- AMD-V
And:
- Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).
**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
-| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
+| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
> **Important** The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.
@@ -62,32 +62,34 @@ The following tables provide more information about the hardware, firmware, and
The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
-### 2015 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
+### Additional Qualification Requirements starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-### 2016 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1607, and Windows Server 2016)
+### Additional Qualification Requirements starting with Windows 10, version 1607, and Windows Server 2016
> **Important** The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
- HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332.aspx).
**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
- Enterprises can choose to allow proprietary EFI drivers/applications to run.
- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-### 2017 Additional Qualification Requirements for Device Guard (announced as options for future Windows operating systems for 2017)
+### Additional Qualification Requirements starting with Windows 10, version 1703
-| Protections for Improved Security - requirement | Description |
+The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements.
+
+| Protection for Improved Security | Description |
|---------------------------------------------|----------------------------------------------------|
-| Firmware: **UEFI NX Protections** | **Requirements**:
- All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.
UEFI Runtime Services:
- Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware. |
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
• PE sections need to be page-aligned in memory (not required for in non-volitile storage).
• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code
**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
## Device Guard deployment in different scenarios: types of devices
@@ -95,9 +97,9 @@ Typically, deployment of Device Guard happens best in phases, rather than being
| **Type of device** | **How Device Guard relates to this type of device** | **Device Guard components that you can use to protect this kind of device** |
|------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------|
-| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.
- Code integrity policies in enforced mode, with UMCI enabled. |
-| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.
- Code integrity policies in enforced mode, with UMCI enabled. |
-| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
- Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. |
+| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.
• Code integrity policies in enforced mode, with UMCI enabled. |
+| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.
• Code integrity policies in enforced mode, with UMCI enabled. |
+| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
• Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. |
| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A |
## Device Guard deployment in virtual machines
diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md
index 8bd5183126..6b82a956c7 100644
--- a/windows/keep-secure/security-technologies.md
+++ b/windows/keep-secure/security-technologies.md
@@ -11,21 +11,23 @@ author: brianlic-msft
# Security technologies
-Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.
+As an IT professional, you can use these topics to learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.
-| Topic | Description |
+| Section | Description |
|-|-|
| [Access control](access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
-| [AppLocker](applocker-overview.md)| This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.|
-| [BitLocker](bitlocker-overview.md)| This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.|
-| [Encrypted Hard Drive](encrypted-hard-drive.md) | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
-| [Security auditing](security-auditing-overview.md)| Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.|
-| [Security policy settings](security-policy-settings.md)| This reference topic describes the common scenarios, architecture, and processes for security settings.|
-| [Trusted Platform Module](trusted-platform-module-overview.md)| This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.|
-| [User Account Control](user-account-control-overview.md)| User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
-| [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Windows Defender Advanced Threat Protection (Windows Defender ATP) is an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
-| [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| This topic provides an overview of Windows Defender, including a list of system requirements and new features.|
-| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) | Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. |
+| [AppLocker](applocker-overview.md)| Describes AppLocker, and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.|
+| [BitLocker](bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
+| [Encrypted Hard Drive](encrypted-hard-drive.md) | Provides information about Encrypted Hard Drive, which uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
+| [Security auditing](security-auditing-overview.md)| Describes how the IT professional can use the security auditing features in Windows, and how organizations can benefit from using these technologies, to enhance the security and manageability of networks.|
+| [Security policy settings](security-policy-settings.md)| Provides a collection of reference topics that describe the common scenarios, architecture, and processes for security settings.|
+| [Smart Cards](smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
+| [Trusted Platform Module](trusted-platform-module-top-node.md)| Provides links to information about the Trusted Platform Module (TPM), which is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. |
+| [User Account Control](user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
+| [Virtual Smart Cards](virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
+| [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Provides information about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
+| [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| Provides information about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
+| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) | Provides information about Windows Firewall with Advanced Security, which is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. |
diff --git a/windows/keep-secure/smart-card-architecture.md b/windows/keep-secure/smart-card-architecture.md
index 84d38741cf..41b2dcc225 100644
--- a/windows/keep-secure/smart-card-architecture.md
+++ b/windows/keep-secure/smart-card-architecture.md
@@ -74,7 +74,7 @@ Credential providers must be registered on a computer running Windows, and they
## Smart card subsystem architecture
-Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](http://www.pcscworkgroup.com/specifications/overview.php). Each smart card must have a Credential Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware.
+Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](https://www.pcscworkgroup.com/). Each smart card must have a Credential Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware.
### Base CSP and smart card minidriver architecture
diff --git a/windows/keep-secure/smart-card-smart-cards-for-windows-service.md b/windows/keep-secure/smart-card-smart-cards-for-windows-service.md
index a0c0edd3dc..1c4f17a7f2 100644
--- a/windows/keep-secure/smart-card-smart-cards-for-windows-service.md
+++ b/windows/keep-secure/smart-card-smart-cards-for-windows-service.md
@@ -14,7 +14,7 @@ Applies To: Windows 10, Windows Server 2016
This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions.
-The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it manages smart card readers and application interactions on the computer. It is fully compliant with the specifications set by the PC/SC Workgroup. For information about these specifications, see the [PC/SC Workgroup Specifications Overview](http://www.pcscworkgroup.com/specifications/overview.php).
+The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it manages smart card readers and application interactions on the computer. It is fully compliant with the specifications set by the PC/SC Workgroup. For information about these specifications, see the [PC/SC Workgroup Specifications website](https://www.pcscworkgroup.com/).
The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following service description:
diff --git a/windows/keep-secure/tpm-fundamentals.md b/windows/keep-secure/tpm-fundamentals.md
index efb080c89c..044bb0c1be 100644
--- a/windows/keep-secure/tpm-fundamentals.md
+++ b/windows/keep-secure/tpm-fundamentals.md
@@ -67,11 +67,7 @@ The TPM can be used to protect certificates and RSA keys. The TPM key storage pr
## TPM Cmdlets
-If you are using PowerShell to script and manage your computers, you can now manage the TPM using Windows PowerShell as well. To install the TPM cmdlets use the following command:
-
-`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets`
-
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
## Physical presence interface
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 1cb5843937..e95197be01 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Troubleshoot Windows Defender ATP onboarding issues
description: Troubleshoot issues that might arise during the onboarding of endpoints or to the Windows Defender ATP service.
-keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, telemetry and diagnostics
+keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -214,7 +214,7 @@ First, you should check that the service is set to start automatically when Wind
### Ensure the endpoint has an Internet connection
-The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
+The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.
diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
index 4cb0a35b53..088a82e8d9 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -26,40 +26,15 @@ This section addresses issues that might arise as you use the Windows Defender A
If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings.
Configure your browser to allow cookies.
-### No data is shown on the portal
-If no data is displayed on the Dashboard portal even if no errors were encountered in the portal logs or in the browser console, you'll need to whitelist the threat intelligence, data access, and detonation endpoints that also use this protocol.
+### Elements or data missing on the portal
+If some UI elements or data is missing on the Windows Defender ATP portal it’s possible that proxy settings are blocking it.
+
+Make sure that `*.securitycenter.windows.com` is included the proxy whitelist.
+
> [!NOTE]
> You must use the HTTPS protocol when adding the following endpoints.
-Depending on your region, add the following endpoints to the whitelist:
-
-U.S. region:
-
-- daasmon-cus-prd.cloudapp.net
-- daasmon-eus-prd.cloudapp.net
-- dataaccess-cus-prd.cloudapp.net
-- dataaccess-eus-prd.cloudapp.net
-- threatintel-cus-prd.cloudapp.net
-- threatintel-eus-prd.cloudapp.net
-- winatpauthorization.windows.com
-- winatpfeedback.windows.com
-- winatpmanagement.windows.com
-- winatponboarding.windows.com
-- winatpservicehealth.windows.com
-
-EU region:
-
-- dataaccess-neu-prd.cloudapp.net
-- dataaccess-weu-prd.cloudapp.net
-- threatintel-neu-prd.cloudapp.net
-- threatintel-weu-prd.cloudapp.net
-- winatpauthorization.windows.com
-- winatpfeedback.windows.com
-- winatpmanagement.windows.com
-- winatponboarding.windows.com
-- winatpservicehealth.windows.com
-
### Windows Defender ATP service shows event or error logs in the Event Viewer
See the topic [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors.
diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
index df382bc1fe..3730d58e83 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
@@ -2223,6 +2223,19 @@ Description of the error.
Event ID: 2050
Filename <uploaded filename>
Sha256: <file SHA>Event ID: 2051
+Filename: <uploaded filename>
+Sha256: <file SHA>
+Current Signature Version: <signature version number>
+Current Engine Version: <engine version number>
+Error code: <error code>
-Event ID: 3002
diff --git a/windows/keep-secure/using-owa-with-wip.md b/windows/keep-secure/using-owa-with-wip.md
new file mode 100644
index 0000000000..f99f10fb6f
--- /dev/null
+++ b/windows/keep-secure/using-owa-with-wip.md
@@ -0,0 +1,34 @@
+---
+title: Using Outlook Web Access with Windows Information Protection (WIP) (Windows 10)
+description: Options for using Outlook Web Access (OWA) with Windows Information Protection (WIP).
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+---
+
+# Using Outlook Web Access with Windows Information Protection (WIP)
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+
+Because Outlook Web Access (OWA) can be used both personally and as part of your organization, you have the following options to configure it with Windows Information Protection (WIP):
+
+|Option |OWA behavior |
+|-------|-------------|
+|Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app. | Disabled. |
+|Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data. |
+|Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. |
+
+>[!NOTE]
+>These limitations don’t apply to Outlook 2016 or to the Office 365 Mail and Calendar apps. These apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured outlook.office.com in your network settings.
+
+
+
+
+
diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
index 4fb387f147..1640262ffd 100644
--- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md
+++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
@@ -8,69 +8,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
-localizationpriority: high
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-why-pin-is-better-than-password
---
# Why a PIN is better than a password
-**Applies to**
-- Windows 10
-- Windows 10 Mobile
-
-Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
-On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
-
-
-## PIN is tied to the device
-One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
-
-Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
-
-## PIN is local to the device
-
-A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
-When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
-> **Note:** For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928).
-
-## PIN is backed by hardware
-
-The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
-
-User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
-
-The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
-
-## PIN can be complex
-
-The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
-
-## What if someone steals the laptop or phone?
-
-To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device.
-You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins.
-
-**Configure BitLocker without TPM**
-1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
-
- **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup**
-
-2. In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.**
-3. Go to Control Panel > **System and Security** > **BitLocker Drive Encryption** and select the operating system drive to protect.
-**Set account lockout threshold**
-1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
-
- **Computer Configuration** >**Windows Settings** ?**Security Settings** >**Account Policies** > **Account Lockout Policy** > **Account lockout threshold**
-
-2. Set the number of invalid logon attempts to allow, and then click OK.
-
-## Why do you need a PIN to use biometrics?
-Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
-
-If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.
-
-## Related topics
-
-[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-
-[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-
\ No newline at end of file
diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md
index a5c487491c..0ed2aa1d28 100644
--- a/windows/keep-secure/windows-10-enterprise-security-guides.md
+++ b/windows/keep-secure/windows-10-enterprise-security-guides.md
@@ -34,10 +34,6 @@ Get proven guidance to help you better secure and protect your enterprise by usi
-
+
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic.
-
-## Where is Microsoft Hello data stored?
-The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.
-
-## Has Microsoft set any device requirements for Windows Hello?
-We’ve been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
-
-- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm.
-
-- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
-
-### Fingerprint sensor requirements
-To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee’s unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required) and a way to configure them (optional).
-
-**Acceptable performance range for small to large size touch sensors**
-
-- False Accept Rate (FAR): <0.001 – 0.002%
-
-- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
-
-- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
-
-**Acceptable performance range for swipe sensors**
-
-- False Accept Rate (FAR): <0.002%
-
-- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
-
-- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
-
-### Facial recognition sensors
-To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee’s facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
-
-- False Accept Rate (FAR): <0.001
-
-- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
-
-- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
-
-## Related topics
-- [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-- [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-- [Microsoft Passport guide](microsoft-passport-guide.md)
-- [Prepare people to use Windows Hello for Work](prepare-people-to-use-microsoft-passport.md)
-- [PassportforWork CSP](https://go.microsoft.com/fwlink/p/?LinkId=708219)
-
-
-
-
-
-
-
-
-
diff --git a/windows/keep-secure/wip-app-enterprise-context.md b/windows/keep-secure/wip-app-enterprise-context.md
new file mode 100644
index 0000000000..b4ebd4ced4
--- /dev/null
+++ b/windows/keep-secure/wip-app-enterprise-context.md
@@ -0,0 +1,55 @@
+---
+title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10)
+description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Task Manager, app context, enterprise context
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+---
+
+# Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+
+Use Task Manager to check the context of your apps while running in Windows Information Protection (WIP) to make sure that your organization's policies are applied and running correctly.
+
+## Viewing the Enterprise Context column in Task Manager
+You need to add the Enterprise Context column to the **Details** tab of the Task Manager.
+
+1. Make sure that you have an active WIP policy deployed and turned on in your organization.
+
+2. Open the Task Manager (taskmgr.exe), click the **Details** tab, right-click in the column heading area, and click **Select columns**.
+
+ The **Select columns** box appears.
+
+ 
+
+3. Scroll down and check the **Enterprise Context** option, and then click **OK** to close the box.
+
+ The **Enterprise Context** column should now be available in Task Manager.
+
+ 
+
+## Review the Enterprise Context
+The **Enterprise Context** column shows you what each app can do with your enterprise data:
+
+- **Domain.** Shows the employee's work domain (such as, corp.contoso.com). This app is considered work-related and can freely touch and open work data and resources.
+
+- **Personal.** Shows the text, *Personal*. This app is considered non-work-related and can't touch any work data or resources.
+
+- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components).
+
+ >[!IMPORTANT]
+ >Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.
+
+
+
+
+
+
diff --git a/windows/manage/.vscode/settings.json b/windows/manage/.vscode/settings.json
new file mode 100644
index 0000000000..20af2f68a6
--- /dev/null
+++ b/windows/manage/.vscode/settings.json
@@ -0,0 +1,3 @@
+// Place your settings in this file to overwrite default and user settings.
+{
+}
\ No newline at end of file
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index 0da55403a3..70f2e9290f 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -1,12 +1,28 @@
# [Manage and update Windows 10](index.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
-## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
+## [Cortana integration in your business or enterprise](cortana-at-work-overview.md)
+### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md)
+#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work-scenario-1.md)
+#### [Test scenario 2 - Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
+#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md)
+#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md)
+#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md)
+#### [Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-6.md)
+### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md)
+### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md)
+### [Set up and test Cortana for Power BI in your organization](cortana-at-work-powerbi.md)
+### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work-voice-commands.md)
+### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work-policy-settings.md)
+### [Send feedback about Cortana at work back to Microsoft](cortana-at-work-feedback.md)
## [Update Windows 10 in the enterprise](waas-update-windows-10.md)
### [Quick guide to Windows as a service](waas-quick-start.md)
### [Overview of Windows as a service](waas-overview.md)
### [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
### [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+### [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md)
+#### [Get started with Update Compliance](update-compliance-get-started.md)
+#### [Use Update Compliance](update-compliance-using.md)
### [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
#### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
#### [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
@@ -25,13 +41,15 @@
### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
### [New policies for Windows 10](new-policies-for-windows-10.md)
### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
-### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
+### [Changes to Group Policy settings for Windows 10 Start menu](changes-to-start-policies-in-windows-10.md)
### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md)
## [Windows Spotlight on the lock screen](windows-spotlight.md)
## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
### [Customize and export Start layout](customize-and-export-start-layout.md)
+### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
+### [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md)
### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
### [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
@@ -144,6 +162,7 @@
### [Troubleshooting App-V](appv-troubleshooting.md)
### [Technical Reference for App-V](appv-technical-reference.md)
#### [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
+
#### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
#### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md)
#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md)
@@ -203,4 +222,5 @@
#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)
### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)
+## [Windows Libraries](windows-libraries.md)
## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index b42a844ee5..13a0de7e4f 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -14,12 +14,35 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
+## February 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Windows Libraries](windows-libraries.md) | New |
+| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | New |
+| [Get started with Update Compliance](update-compliance-get-started.md) | New |
+| [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) | New |
+| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Added Group Policy setting that blocks user access to Windows Update. |
+| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Added Express updates. |
+| [Distribute offline apps](distribute-offline-apps.md) | General updates to topic. Added links to supporting content for System Center Configuration Manager and Microsoft Intune. |
+
+## January 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | New |
+| [Start layout XML for desktop editions of Windows 10](start-layout-xml-desktop.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Start layout XML for mobile editions of Windows 10](start-layout-xml-mobile.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. |
+| [Manage device restarts after updates](waas-restart.md) | Added Registry keys for controlling restarts. |
+
## December 2016
| New or changed topic | Description |
| --- | --- |
| [Quick guide to Windows as a service](waas-quick-start.md) | New |
| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Added video demonstration of the latest in modern management for Windows 10 |
+| [Windows Store for Business overview](windows-store-for-business-overview.md) | Updated list of supported markets. |
## November 2016
@@ -58,7 +81,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) | Updated sample XML for combined Start and taskbar layout; added note to explain the difference between applying taskbar configuration by Group Policy and by provisioning package |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated instructions for exiting assigned access mode. |
| Application development for Windows as a service | Topic moved to MSDN: [Application development for Windows as a service](https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service)
-| Windows 10 servicing options | New content replaced this topic; see [Overview of Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview) |
+| Windows 10 servicing options | New content replaced this topic; see [Overview of Windows as a service](waas-overview.md) |
## RELEASE: Windows 10, version 1607
@@ -163,4 +186,4 @@ The topics in this library have been updated for Windows 10, version 1607 (also
[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
-
\ No newline at end of file
+
diff --git a/windows/manage/changes-to-start-policies-in-windows-10.md b/windows/manage/changes-to-start-policies-in-windows-10.md
index 743009e354..6cba8aeed7 100644
--- a/windows/manage/changes-to-start-policies-in-windows-10.md
+++ b/windows/manage/changes-to-start-policies-in-windows-10.md
@@ -1,5 +1,5 @@
---
-title: Changes to Group Policy settings for Windows 10 Start (Windows 10)
+title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10)
description: Windows 10 has a brand new Start experience.
ms.assetid: 612FB68A-3832-451F-AA97-E73791FEAA9F
keywords: ["group policy", "start menu", "start screen"]
diff --git a/windows/manage/configure-windows-10-taskbar.md b/windows/manage/configure-windows-10-taskbar.md
index 50576b01ad..dd1108511b 100644
--- a/windows/manage/configure-windows-10-taskbar.md
+++ b/windows/manage/configure-windows-10-taskbar.md
@@ -17,14 +17,14 @@ Starting in Windows 10, version 1607, administrators can pin additional apps to
You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](https://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path (the local path to the application).
-If you specify an app to be pinned that is not installed on the computer, it won't appear on the taskbar.
+If you specify an app to be pinned that is not provisioned for the user on the computer, the pinned icon won't appear on the taskbar.
-The order of apps in the xml file dictates order of apps on taskbar from left to right, to the right of any existing apps pinned by user.
+The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user.
> [!NOTE]
> In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
-The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
+The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square).
@@ -41,21 +41,23 @@ To configure the taskbar:
3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md).
>[!IMPORTANT]
->If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
+>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy.
+>
+>If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](https://technet.microsoft.com/itpro/windows/manage/customize-and-export-start-layout#configure-a-partial-start-layout), users can make changes to the taskbar and to tile groups not defined in the partial Start layout.
### Tips for finding AUMID and Desktop Application Link Path
In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path.
The easiest way to find this data for an application is to:
-1. Pin the application to the Start menu
+1. Pin the application to the Start menu on a reference or testing PC.
2. Open Windows PowerShell and run the `Export-StartLayout` cmdlet.
3. Open the generated XML file.
-4. Look for an entry corresponding to the app you pinned .
+4. Look for an entry corresponding to the app you pinned.
5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`.
-### Sample taskbar configuration XML
+### Sample taskbar configuration XML file
```xml
@@ -75,7 +77,7 @@ The easiest way to find this data for an application is to:
```
-### Sample taskbar configuration added to Start layout XML
+### Sample taskbar configuration added to Start layout XML file
```xml
@@ -139,7 +141,7 @@ The `
settings-win.data.microsoft.com |
| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
+| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
### Data use and access
diff --git a/windows/manage/cortana-at-work-crm.md b/windows/manage/cortana-at-work-crm.md
new file mode 100644
index 0000000000..834bde8a92
--- /dev/null
+++ b/windows/manage/cortana-at-work-crm.md
@@ -0,0 +1,62 @@
+---
+title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization (Windows 10)
+description: How to set up Cortana to help your salespeople get proactive insights on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization
+**Applies to:**
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. This can even include getting company-specific news that surfaces when the person is meeting with a representative from another company.
+
+>[!NOTE]
+>For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](http://go.microsoft.com/fwlink/p/?LinkId=746819).
+
+
+
+## Turn on Cortana with Dynamics CRM in your organization
+You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](http://go.microsoft.com/fwlink/p/?LinkId=746817)?
+
+**To turn on Cortana with Dynamics CRM**
+
+1. Go to **Settings**, and then click **Administration**.
+
+2. Choose **System Settings**, and then click the **Previews** tab.
+
+3. Read the license terms, and if you agree, select the **I’ve read and agree to the license terms** check box.
+
+4. For each preview feature you want to enable, click **Yes**.
+
+## Turn on Cortana with Dynamics CRM on your employees’ devices
+You must tell your employees to turn on Cortana, before they’ll be able to use it with Dynamics CRM.
+
+**To turn on local Cortana with Dynamics CRM**
+
+1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon.
+
+2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**.
+
+ 
+
+ The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen.
+
+## Turn off Cortana with Dynamics CRM
+Cortana can only access data in Dynamics CRM when it’s turned on. If you don’t want Cortana to access your corporate data, you can turn it off.
+
+**To turn off Cortana with Dynamics CRM**
+1. Go to **Settings**, and then click **Administration**.
+
+2. Choose **System Settings**, and then click the **Previews** tab.
+
+3. Click **No** for **Cortana**.
+
+ All Dynamics CRM functionality related to Cortana is turned off in your organization.
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-feedback.md b/windows/manage/cortana-at-work-feedback.md
new file mode 100644
index 0000000000..ca24c22703
--- /dev/null
+++ b/windows/manage/cortana-at-work-feedback.md
@@ -0,0 +1,24 @@
+---
+title: Send feedback about Cortana at work back to Microsoft (Windows 10)
+description: How to send feedback to Microsoft about Cortana at work.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Send feedback about Cortana at work back to Microsoft
+**Applies to:**
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+We ask that you report bugs and issues. To provide feedback, you can click the **Feedback** icon in the Cortana window. When you send this form to Microsoft it also includes troubleshooting info, in case you run into problems.
+
+
+
+If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Preview feedback app. For info about the Insider Preview feedback app, see [How to use Windows Insider Preview – Updates and feedback](http://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc).
+
diff --git a/windows/manage/cortana-at-work-o365.md b/windows/manage/cortana-at-work-o365.md
new file mode 100644
index 0000000000..764b5638e0
--- /dev/null
+++ b/windows/manage/cortana-at-work-o365.md
@@ -0,0 +1,72 @@
+---
+title: Set up and test Cortana with Office 365 in your organization (Windows 10)
+description: How to connect Cortana to Office 365 so your employees are notified about regular meetings, unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isn’t late.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Set up and test Cortana with Office 365 in your organization
+**Applies to:**
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Cortana in Windows 10 is already great at letting your employees quickly see what the day is going to look like, do meeting prep work like researching people in LinkedIn or getting documents ready, see where and when their meetings are going to be, get a sense of travel times to and from work, and even get updates from a calendar for upcoming trips.
+
+But Cortana works even harder when she connects to Office 365, helping employees to be notified about unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isn’t late.
+
+
+
+We’re continuing to add more and more capabilities to Cortana so she can become even more helpful with your productivity-related tasks, such as emailing, scheduling, and other tasks that are important to help you be successful.
+
+>[!NOTE]
+>For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=717379).
+
+## Before you begin
+There are a few things to be aware of before you start using Cortana with Office 365 in your organization.
+
+- **Software requirements.** O365 integration with Cortana is available in all countries/regions where Cortana is supported for consumers today. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, it will also become available to organizations.
+
+- **Azure Active Directory (Azure AD) account.** Before your employees can use Cortana in your org, they must be logged in using their Azure AD account through Cortana’s notebook. They must also authorize Cortana to access Office 365 on their behalf.
+
+- **Office 365 Trust Center.** Cortana isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana treats your data](http://go.microsoft.com/fwlink/p/?LinkId=536419).
+
+- **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](http://go.microsoft.com/fwlink/p/?LinkId=620763).
+
+## Turn on Cortana with Office 365 on employees’ devices
+You must tell your employees to turn on Cortana before they’ll be able to use it with Office 365.
+
+**To turn on local Cortana with Office 365**
+
+1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon.
+
+2. Click on **Connected Services**, click **Office 365**, and then click **Connect**.
+
+ 
+
+ The employee can also disconnect by clicking **Disconnect** from the **Office 365** screen.
+
+## Turn off Cortana with Office 365
+Cortana can only access data in your Office 365 org when it’s turned on. If you don’t want Cortana to access your corporate data, you can turn it off in the Office 365 admin center.
+
+**To turn off Cortana with Office 365**
+1. [Sign in to Office 365](http://www.office.com/signin) using your Azure AD account.
+
+2. Go to the [Office 365 admin center](https://support.office.com/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547).
+
+3. Expand **Service Settings**, and select **Cortana**.
+
+4. Click **Cortana** to toggle Cortana off.
+
+ All Office 365 functionality related to Cortana is turned off in your organization and your employees are unable to use her at work.
+
+
+
+
+
+
diff --git a/windows/manage/cortana-at-work-overview.md b/windows/manage/cortana-at-work-overview.md
new file mode 100644
index 0000000000..29a9ab3bba
--- /dev/null
+++ b/windows/manage/cortana-at-work-overview.md
@@ -0,0 +1,64 @@
+---
+title: Cortana integration in your business or enterprise (Windows 10)
+description: The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Cortana integration in your business or enterprise
+**Applies to:**
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+## Who is Cortana?
+Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work.
+Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
+
+Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
+
+
+
+## Where is Cortana available for use in my organization?
+You can use Cortana at work in all countries/regions where Cortana is supported for consumers. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, she will also become available to enterprise customers.
+
+Cortana is available on Windows 10, Windows Insider Program and with limited functionality on Windows Phone 8.1, Windows Insider Program.
+
+## Required hardware and software
+Cortana requires the following hardware and software to successfully run the included scenario in your organization.
+
+|Hardware |Description |
+|---------|------------|
+|Microphone |For speech interaction with Cortana. If you don't have a microphone, you can still interact with Cortana by typing in the Cortana Search Box in the taskbar. |
+|Windows Phone |For location-specific reminders. You can also use a desktop device to run through this scenario, but location accuracy is usually better on phones. |
+|Desktop devices |For non-phone-related scenarios. |
+
+
+|Software |Minimum version |
+|---------|------------|
+|Client operating system |
This setting only applies to Windows 10 for desktop devices. |
+|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization|Privacy/AllowInputPersonalization|Specifies whether an employee can use voice commands with Cortana in your organization.
Cortana won’t work if this setting is turned off (disabled).
Cortana still works if this setting is turned off (disabled).|
+|None|System/AllowLocation|Specifies whether to allow app access to the Location service.
Cortana won’t work if this setting is turned off (disabled).
Cortana still works if this setting is turned off (disabled).|
+|None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
This setting only applies to Windows 10 Mobile.|
+|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.
This setting can’t be managed.
Cortana won't work if this setting is turned off (disabled).|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.|
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/manage/cortana-at-work-powerbi.md b/windows/manage/cortana-at-work-powerbi.md
new file mode 100644
index 0000000000..979cde3b57
--- /dev/null
+++ b/windows/manage/cortana-at-work-powerbi.md
@@ -0,0 +1,138 @@
+---
+title: Set up and test Cortana for Power BI in your organization (Windows 10)
+description: How to integrate Cortana with Power BI to help your employees get answers directly from your key business data.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+---
+
+# Set up and test Cortana for Power BI in your organization
+**Applies to:**
+
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop.
+
+>[!Note]
+>Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
+
+## Before you begin
+To use this walkthrough, you’ll need:
+
+- **Windows 10**. You’ll need to be running at least Windows 10 with the latest version from the Windows Insider Program.
+
+- **Cortana**. You need to have Cortana turned on and be logged into your account.
+
+- **Power BI account with data**. You can use an existing Power BI account, or else you can get a trial account by signing up at http://powerbi.com. Just make sure that either way, you enter some data that you can use.
+
+- **Azure Active Directory (Azure AD)/Work or School account**. You can use the account that you created for Office 365, or you can create a new one while you’re establishing your Power BI account. If you choose to use Azure AD, you must connect your Azure AD account to your Windows account.
+
+ **To connect your account to Windows**
+ a. Open **Windows Settings**, click **Accounts**, click **Access work or school**, and then in the **Connect to work or school** section, click **Connect**.
+
+ b. Follow the instructions to add your Azure Active Directory (Azure AD) account to Windows.
+
+## Set up your test environment for Cortana for Power BI
+Before you can start this testing scenario, you must first set up your test environment and data, and then you must turn on and set up Cortana to connect and work with Power BI.
+
+**To set up your test environment with Cortana and Power BI**
+
+1. Go to http://powerbi.com and sign-in with the same O365 credentials you used in the Set up and use Cortana with Office 365 topic.
+
+2. Expand the left rail by clicking the **Show the navigation pane** icon.
+
+ 
+
+3. Click **Get Data** from the left-hand navigation in Power BI.
+
+ 
+
+4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen.
+
+ 
+
+5. Click **Retail Analysis Sample**, and then click **Connect**.
+
+ 
+
+ The sample data is imported and you’re returned to the **Power BI** screen.
+
+6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**.
+
+ 
+
+7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**.
+
+ 
+
+8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list.
+
+9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**.
+
+ 
+
+ >[!NOTE]
+ >It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.
-- **Management server.**
+For third-party MDM providers or management servers, check your product documentation.
## Download an offline-licensed app
+There are several items to download or create for offline-licensed apps. The app package and app license are required; app metadata and app frameworks are optional. This section includes more info on each item, and tells you how to download an offline-licensed app.
-There are several items to download or create for offline-licensed apps. You'll need all of these items to distribute offline apps to your employees. This section includes more info on each item, and tells you how to download an offline-licensed app.
+- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata.
-- **App metadata** -- App metadata is required for distributing offline apps. The metadata includes app details, links to icons, product id, localized product ids, and other items.
+- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices.
-- **App package** -- App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices.
+- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM.
-- **App license** -- App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM.
-
-- **App frameworks** -- App frameworks are required for distributing offline apps, but you might not need to download one. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected.
+- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected.
**To download an offline-licensed app**
-1. Sign in to the Store for Business
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com/).
2. Click **Manage**, and then choose **Inventory**.
3. Click **Refine**, and then choose **Offline**.
4. Find the app you want to download, click the ellipses under **Actions**, and then choose **Download for offline use**.
+ - **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional.
+ - **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required.
+ - **To download an app license**: Choose either **Encoded**, or **Unencoded**, and then click **Generate license**. Save the downloaded license. This is required.
+ - **To download an app framework**: Find the framework you need to support your app package, and click **Download**. This is optional.
+
+> [!NOTE]
+> You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible.
-5. To download app metadata: choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata.
-
-6. To download app package for offline use: click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package.
-
-7. To download an app license: choose either **Encoded**, or **Unencoded**, and then click **Generate license**. Save the downloaded license.
-
-8. To download an app framework: find the framework you need to support your app package, and click **Download**.
- **Note**
- You need the framework to support your app package, but if you already have a copy, you don't need to download it again.
-
- Frameworks are backward compatible.
+
diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md
index 40c5250e62..0eb86b635e 100644
--- a/windows/manage/group-policies-for-enterprise-and-education-editions.md
+++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md
@@ -28,7 +28,7 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W
| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application
User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
| **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app
User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](manage-access-to-private-store.md) |
-| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](manage-cortana-in-enterprise.md) |
+| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](cortana-at-work-overview.md) |
diff --git a/windows/manage/images/cortana-about-me.png b/windows/manage/images/cortana-about-me.png
new file mode 100644
index 0000000000..32c1ccefab
Binary files /dev/null and b/windows/manage/images/cortana-about-me.png differ
diff --git a/windows/manage/images/cortana-add-reminder.png b/windows/manage/images/cortana-add-reminder.png
new file mode 100644
index 0000000000..3f03528e11
Binary files /dev/null and b/windows/manage/images/cortana-add-reminder.png differ
diff --git a/windows/manage/images/cortana-chicago-weather.png b/windows/manage/images/cortana-chicago-weather.png
new file mode 100644
index 0000000000..9273bf201b
Binary files /dev/null and b/windows/manage/images/cortana-chicago-weather.png differ
diff --git a/windows/manage/images/cortana-complete-send-email-coworker-mic.png b/windows/manage/images/cortana-complete-send-email-coworker-mic.png
new file mode 100644
index 0000000000..3238c8d31d
Binary files /dev/null and b/windows/manage/images/cortana-complete-send-email-coworker-mic.png differ
diff --git a/windows/manage/images/cortana-connect-crm.png b/windows/manage/images/cortana-connect-crm.png
new file mode 100644
index 0000000000..c70c42f75e
Binary files /dev/null and b/windows/manage/images/cortana-connect-crm.png differ
diff --git a/windows/manage/images/cortana-connect-o365.png b/windows/manage/images/cortana-connect-o365.png
new file mode 100644
index 0000000000..df1ffa449b
Binary files /dev/null and b/windows/manage/images/cortana-connect-o365.png differ
diff --git a/windows/manage/images/cortana-connect-uber.png b/windows/manage/images/cortana-connect-uber.png
new file mode 100644
index 0000000000..724fecb5b5
Binary files /dev/null and b/windows/manage/images/cortana-connect-uber.png differ
diff --git a/windows/manage/images/cortana-crm-screen.png b/windows/manage/images/cortana-crm-screen.png
new file mode 100644
index 0000000000..ded5d80a59
Binary files /dev/null and b/windows/manage/images/cortana-crm-screen.png differ
diff --git a/windows/manage/images/cortana-feedback.png b/windows/manage/images/cortana-feedback.png
new file mode 100644
index 0000000000..6e14018c98
Binary files /dev/null and b/windows/manage/images/cortana-feedback.png differ
diff --git a/windows/manage/images/cortana-final-reminder.png b/windows/manage/images/cortana-final-reminder.png
new file mode 100644
index 0000000000..f114e058e5
Binary files /dev/null and b/windows/manage/images/cortana-final-reminder.png differ
diff --git a/windows/manage/images/cortana-meeting-specific-time.png b/windows/manage/images/cortana-meeting-specific-time.png
new file mode 100644
index 0000000000..a108355133
Binary files /dev/null and b/windows/manage/images/cortana-meeting-specific-time.png differ
diff --git a/windows/manage/images/cortana-meeting-tomorrow.png b/windows/manage/images/cortana-meeting-tomorrow.png
new file mode 100644
index 0000000000..13273b6600
Binary files /dev/null and b/windows/manage/images/cortana-meeting-tomorrow.png differ
diff --git a/windows/manage/images/cortana-newyork-weather.png b/windows/manage/images/cortana-newyork-weather.png
new file mode 100644
index 0000000000..b3879737be
Binary files /dev/null and b/windows/manage/images/cortana-newyork-weather.png differ
diff --git a/windows/manage/images/cortana-o365-screen.png b/windows/manage/images/cortana-o365-screen.png
new file mode 100644
index 0000000000..ba06dd6de5
Binary files /dev/null and b/windows/manage/images/cortana-o365-screen.png differ
diff --git a/windows/manage/images/cortana-place-reminder.png b/windows/manage/images/cortana-place-reminder.png
new file mode 100644
index 0000000000..89ccdab3e3
Binary files /dev/null and b/windows/manage/images/cortana-place-reminder.png differ
diff --git a/windows/manage/images/cortana-powerbi-create-report.png b/windows/manage/images/cortana-powerbi-create-report.png
new file mode 100644
index 0000000000..a22789d72a
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-create-report.png differ
diff --git a/windows/manage/images/cortana-powerbi-expand-nav.png b/windows/manage/images/cortana-powerbi-expand-nav.png
new file mode 100644
index 0000000000..c8b47943f9
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-expand-nav.png differ
diff --git a/windows/manage/images/cortana-powerbi-field-selection.png b/windows/manage/images/cortana-powerbi-field-selection.png
new file mode 100644
index 0000000000..8aef58c23a
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-field-selection.png differ
diff --git a/windows/manage/images/cortana-powerbi-getdata-samples.png b/windows/manage/images/cortana-powerbi-getdata-samples.png
new file mode 100644
index 0000000000..3bfa4792df
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-getdata-samples.png differ
diff --git a/windows/manage/images/cortana-powerbi-getdata.png b/windows/manage/images/cortana-powerbi-getdata.png
new file mode 100644
index 0000000000..55b7b61589
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-getdata.png differ
diff --git a/windows/manage/images/cortana-powerbi-myreport.png b/windows/manage/images/cortana-powerbi-myreport.png
new file mode 100644
index 0000000000..cc04d9c6f0
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-myreport.png differ
diff --git a/windows/manage/images/cortana-powerbi-pagesize.png b/windows/manage/images/cortana-powerbi-pagesize.png
new file mode 100644
index 0000000000..fd1c1ef917
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-pagesize.png differ
diff --git a/windows/manage/images/cortana-powerbi-report-qna.png b/windows/manage/images/cortana-powerbi-report-qna.png
new file mode 100644
index 0000000000..d17949aa8a
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-report-qna.png differ
diff --git a/windows/manage/images/cortana-powerbi-retail-analysis-dashboard.png b/windows/manage/images/cortana-powerbi-retail-analysis-dashboard.png
new file mode 100644
index 0000000000..5b94a2e2fc
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-retail-analysis-dashboard.png differ
diff --git a/windows/manage/images/cortana-powerbi-retail-analysis-dataset.png b/windows/manage/images/cortana-powerbi-retail-analysis-dataset.png
new file mode 100644
index 0000000000..b2ffec3b70
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-retail-analysis-dataset.png differ
diff --git a/windows/manage/images/cortana-powerbi-retail-analysis-sample.png b/windows/manage/images/cortana-powerbi-retail-analysis-sample.png
new file mode 100644
index 0000000000..e3b61dcaa2
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-retail-analysis-sample.png differ
diff --git a/windows/manage/images/cortana-powerbi-search.png b/windows/manage/images/cortana-powerbi-search.png
new file mode 100644
index 0000000000..88a8b40296
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-search.png differ
diff --git a/windows/manage/images/cortana-powerbi-settings.png b/windows/manage/images/cortana-powerbi-settings.png
new file mode 100644
index 0000000000..0f51229895
Binary files /dev/null and b/windows/manage/images/cortana-powerbi-settings.png differ
diff --git a/windows/manage/images/cortana-redmond-weather.png b/windows/manage/images/cortana-redmond-weather.png
new file mode 100644
index 0000000000..7e8adc1929
Binary files /dev/null and b/windows/manage/images/cortana-redmond-weather.png differ
diff --git a/windows/manage/images/cortana-reminder-edit.png b/windows/manage/images/cortana-reminder-edit.png
new file mode 100644
index 0000000000..79cc280947
Binary files /dev/null and b/windows/manage/images/cortana-reminder-edit.png differ
diff --git a/windows/manage/images/cortana-reminder-list.png b/windows/manage/images/cortana-reminder-list.png
new file mode 100644
index 0000000000..1f57fc0f05
Binary files /dev/null and b/windows/manage/images/cortana-reminder-list.png differ
diff --git a/windows/manage/images/cortana-reminder-mic.png b/windows/manage/images/cortana-reminder-mic.png
new file mode 100644
index 0000000000..46a18e8e0b
Binary files /dev/null and b/windows/manage/images/cortana-reminder-mic.png differ
diff --git a/windows/manage/images/cortana-reminder-pending-mic.png b/windows/manage/images/cortana-reminder-pending-mic.png
new file mode 100644
index 0000000000..159d408e0a
Binary files /dev/null and b/windows/manage/images/cortana-reminder-pending-mic.png differ
diff --git a/windows/manage/images/cortana-reminder-pending.png b/windows/manage/images/cortana-reminder-pending.png
new file mode 100644
index 0000000000..a6b64b5621
Binary files /dev/null and b/windows/manage/images/cortana-reminder-pending.png differ
diff --git a/windows/manage/images/cortana-send-email-coworker-mic.png b/windows/manage/images/cortana-send-email-coworker-mic.png
new file mode 100644
index 0000000000..0cfa8fb731
Binary files /dev/null and b/windows/manage/images/cortana-send-email-coworker-mic.png differ
diff --git a/windows/manage/images/cortana-send-email-coworker.png b/windows/manage/images/cortana-send-email-coworker.png
new file mode 100644
index 0000000000..40ce18bdca
Binary files /dev/null and b/windows/manage/images/cortana-send-email-coworker.png differ
diff --git a/windows/manage/images/cortana-weather-multipanel.png b/windows/manage/images/cortana-weather-multipanel.png
new file mode 100644
index 0000000000..e8db031744
Binary files /dev/null and b/windows/manage/images/cortana-weather-multipanel.png differ
diff --git a/windows/manage/images/mobile-start-layout.png b/windows/manage/images/mobile-start-layout.png
new file mode 100644
index 0000000000..d1055d6c87
Binary files /dev/null and b/windows/manage/images/mobile-start-layout.png differ
diff --git a/windows/manage/images/uc-01.png b/windows/manage/images/uc-01.png
new file mode 100644
index 0000000000..7f4df9f6d7
Binary files /dev/null and b/windows/manage/images/uc-01.png differ
diff --git a/windows/manage/images/uc-02.png b/windows/manage/images/uc-02.png
new file mode 100644
index 0000000000..8317f051c3
Binary files /dev/null and b/windows/manage/images/uc-02.png differ
diff --git a/windows/manage/images/uc-02a.png b/windows/manage/images/uc-02a.png
new file mode 100644
index 0000000000..d12544e3a0
Binary files /dev/null and b/windows/manage/images/uc-02a.png differ
diff --git a/windows/manage/images/uc-03.png b/windows/manage/images/uc-03.png
new file mode 100644
index 0000000000..58494c4128
Binary files /dev/null and b/windows/manage/images/uc-03.png differ
diff --git a/windows/manage/images/uc-03a.png b/windows/manage/images/uc-03a.png
new file mode 100644
index 0000000000..39412fc8f3
Binary files /dev/null and b/windows/manage/images/uc-03a.png differ
diff --git a/windows/manage/images/uc-04.png b/windows/manage/images/uc-04.png
new file mode 100644
index 0000000000..ef9a37d379
Binary files /dev/null and b/windows/manage/images/uc-04.png differ
diff --git a/windows/manage/images/uc-04a.png b/windows/manage/images/uc-04a.png
new file mode 100644
index 0000000000..537d4bbe72
Binary files /dev/null and b/windows/manage/images/uc-04a.png differ
diff --git a/windows/manage/images/uc-05.png b/windows/manage/images/uc-05.png
new file mode 100644
index 0000000000..21c8e9f9e0
Binary files /dev/null and b/windows/manage/images/uc-05.png differ
diff --git a/windows/manage/images/uc-05a.png b/windows/manage/images/uc-05a.png
new file mode 100644
index 0000000000..2271181622
Binary files /dev/null and b/windows/manage/images/uc-05a.png differ
diff --git a/windows/manage/images/uc-06.png b/windows/manage/images/uc-06.png
new file mode 100644
index 0000000000..03a559800b
Binary files /dev/null and b/windows/manage/images/uc-06.png differ
diff --git a/windows/manage/images/uc-06a.png b/windows/manage/images/uc-06a.png
new file mode 100644
index 0000000000..15df1cfea0
Binary files /dev/null and b/windows/manage/images/uc-06a.png differ
diff --git a/windows/manage/images/uc-07.png b/windows/manage/images/uc-07.png
new file mode 100644
index 0000000000..de1ae35e82
Binary files /dev/null and b/windows/manage/images/uc-07.png differ
diff --git a/windows/manage/images/uc-07a.png b/windows/manage/images/uc-07a.png
new file mode 100644
index 0000000000..c0f2d9fd73
Binary files /dev/null and b/windows/manage/images/uc-07a.png differ
diff --git a/windows/manage/images/uc-08.png b/windows/manage/images/uc-08.png
new file mode 100644
index 0000000000..877fcd64c0
Binary files /dev/null and b/windows/manage/images/uc-08.png differ
diff --git a/windows/manage/images/uc-08a.png b/windows/manage/images/uc-08a.png
new file mode 100644
index 0000000000..89da287d3d
Binary files /dev/null and b/windows/manage/images/uc-08a.png differ
diff --git a/windows/manage/images/uc-09.png b/windows/manage/images/uc-09.png
new file mode 100644
index 0000000000..37d7114f19
Binary files /dev/null and b/windows/manage/images/uc-09.png differ
diff --git a/windows/manage/images/uc-09a.png b/windows/manage/images/uc-09a.png
new file mode 100644
index 0000000000..f6b6ec5b60
Binary files /dev/null and b/windows/manage/images/uc-09a.png differ
diff --git a/windows/manage/images/uc-10.png b/windows/manage/images/uc-10.png
new file mode 100644
index 0000000000..3ab72d10d2
Binary files /dev/null and b/windows/manage/images/uc-10.png differ
diff --git a/windows/manage/images/uc-10a.png b/windows/manage/images/uc-10a.png
new file mode 100644
index 0000000000..1c6b8b01dc
Binary files /dev/null and b/windows/manage/images/uc-10a.png differ
diff --git a/windows/manage/images/uc-11.png b/windows/manage/images/uc-11.png
new file mode 100644
index 0000000000..8b4fc568ea
Binary files /dev/null and b/windows/manage/images/uc-11.png differ
diff --git a/windows/manage/images/uc-12.png b/windows/manage/images/uc-12.png
new file mode 100644
index 0000000000..4198684c99
Binary files /dev/null and b/windows/manage/images/uc-12.png differ
diff --git a/windows/manage/images/uc-13.png b/windows/manage/images/uc-13.png
new file mode 100644
index 0000000000..117f9b9fd8
Binary files /dev/null and b/windows/manage/images/uc-13.png differ
diff --git a/windows/manage/images/uc-14.png b/windows/manage/images/uc-14.png
new file mode 100644
index 0000000000..66047984e7
Binary files /dev/null and b/windows/manage/images/uc-14.png differ
diff --git a/windows/manage/images/uc-15.png b/windows/manage/images/uc-15.png
new file mode 100644
index 0000000000..c241cd9117
Binary files /dev/null and b/windows/manage/images/uc-15.png differ
diff --git a/windows/manage/images/uc-16.png b/windows/manage/images/uc-16.png
new file mode 100644
index 0000000000..e7aff4d4ed
Binary files /dev/null and b/windows/manage/images/uc-16.png differ
diff --git a/windows/manage/images/uc-17.png b/windows/manage/images/uc-17.png
new file mode 100644
index 0000000000..cb8e42ca5e
Binary files /dev/null and b/windows/manage/images/uc-17.png differ
diff --git a/windows/manage/images/uc-18.png b/windows/manage/images/uc-18.png
new file mode 100644
index 0000000000..5eff59adc9
Binary files /dev/null and b/windows/manage/images/uc-18.png differ
diff --git a/windows/manage/images/uc-19.png b/windows/manage/images/uc-19.png
new file mode 100644
index 0000000000..791900eafc
Binary files /dev/null and b/windows/manage/images/uc-19.png differ
diff --git a/windows/manage/images/uc-20.png b/windows/manage/images/uc-20.png
new file mode 100644
index 0000000000..7dbb027b9f
Binary files /dev/null and b/windows/manage/images/uc-20.png differ
diff --git a/windows/manage/images/uc-21.png b/windows/manage/images/uc-21.png
new file mode 100644
index 0000000000..418db41fe4
Binary files /dev/null and b/windows/manage/images/uc-21.png differ
diff --git a/windows/manage/images/uc-22.png b/windows/manage/images/uc-22.png
new file mode 100644
index 0000000000..2ca5c47a61
Binary files /dev/null and b/windows/manage/images/uc-22.png differ
diff --git a/windows/manage/images/uc-23.png b/windows/manage/images/uc-23.png
new file mode 100644
index 0000000000..58b82db82d
Binary files /dev/null and b/windows/manage/images/uc-23.png differ
diff --git a/windows/manage/images/uc-24.png b/windows/manage/images/uc-24.png
new file mode 100644
index 0000000000..00bc61e3e1
Binary files /dev/null and b/windows/manage/images/uc-24.png differ
diff --git a/windows/manage/images/uc-25.png b/windows/manage/images/uc-25.png
new file mode 100644
index 0000000000..4e0f0bdb03
Binary files /dev/null and b/windows/manage/images/uc-25.png differ
diff --git a/windows/manage/images/wufb-config1a.png b/windows/manage/images/wufb-config1a.png
index 44ce007a76..1514b87528 100644
Binary files a/windows/manage/images/wufb-config1a.png and b/windows/manage/images/wufb-config1a.png differ
diff --git a/windows/manage/images/wufb-config2.png b/windows/manage/images/wufb-config2.png
index 0ab09d4868..f54eef9a50 100644
Binary files a/windows/manage/images/wufb-config2.png and b/windows/manage/images/wufb-config2.png differ
diff --git a/windows/manage/images/wufb-config3a.png b/windows/manage/images/wufb-config3a.png
index a76d1569be..538028cfdc 100644
Binary files a/windows/manage/images/wufb-config3a.png and b/windows/manage/images/wufb-config3a.png differ
diff --git a/windows/manage/index.md b/windows/manage/index.md
index e9e8ac3329..bdb730b559 100644
--- a/windows/manage/index.md
+++ b/windows/manage/index.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
+localizationpriority: high
author: jdeckerMS
---
@@ -34,7 +35,7 @@ Learn about managing and updating Windows 10.
-[Update Windows 10 in the enterprise](waas-update-windows-10.md) Learn how to manage updates to Windows 10 in your organization, including Windows Update for Business. [Update Windows 10 in the enterprise](waas-update-windows-10.md) Learn how to manage updates to Windows 10 in your organization, including Update Compliance, and Windows Update for Business.
+
->Before your employees can use Cortana with Office 365, they must sign into Cortana using a Microsoft account (such as, @outlook.com), and then they must go to the **Connected Accounts** section of Cortana’s notebook to turn on and connect to Office 365.
-
-
-**More info:**
-
-- For specific info about what you need to know as a company administrator, including how to turn off Cortana with Office 365, see the [Cortana integration with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=717378) support topic.
-
-- For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=717379).
-
-## Cortana and Power BI
-Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana answers using the full capabilities of Power BI Desktop.
-
-**More info:**
-
-- For specific info about how to start using Power BI and Cortana integration, how to customize your data results, and how to use the “Hey Cortana” functionality, see the [Power BI: Announcing Power BI integration with Cortana and new ways to quickly find insights in your data](https://go.microsoft.com/fwlink/p/?LinkId=717382) blog.
-
-## Cortana and Microsoft Dynamics CRM
-Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time.
-
-**More info:**
-- For more info about Preview features, see [What are Preview features and how do I enable them?](https://go.microsoft.com/fwlink/p/?LinkId=746817).
-- For more info about Cortana, see [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818).
-- For more info about CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](https://go.microsoft.com/fwlink/p/?LinkId=746819).
-
-## Cortana and privacy
-We understand that there are concerns about Cortana and enterprise privacy, so we’ve put together the [Cortana, Search, and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=717383) topic that covers many of the frequently asked questions. These questions include things such as what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services.
-
-## Set up Cortana using Group Policy and MDM policies
-Set up and manage Cortana by using the following Group Policy and mobile device management (MDM) policies.
-
-|Group policy |MDM policy |Description |
-|-------------|-----------|------------|
-|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
This setting only applies to Windows 10 for desktop devices. |
-|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in the enterprise.
Cortana won’t work if this setting is turned off (disabled).
Cortana still works if this setting is turned off (disabled). |
-|None |System/AllowLocation |Specifies whether to allow app access to the Location service.
Cortana won’t work if this setting is turned off (disabled).
Cortana still works if this setting is turned off (disabled). |
-|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.
This setting only applies to Windows 10 Mobile. |
-|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.
This setting can’t be managed.
Cortana won't work if this setting is turned off (disabled). |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off. |
-
-**More info:**
-- For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=717381).
-
-## Related topics
-- [Cortana and Windows](https://go.microsoft.com/fwlink/p/?LinkId=717384)
-- [Cortana for developers](https://go.microsoft.com/fwlink/p/?LinkId=717385)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/cortana-at-work-overview
+---
\ No newline at end of file
diff --git a/windows/manage/manage-windows-10-in-your-organization-modern-management.md b/windows/manage/manage-windows-10-in-your-organization-modern-management.md
index e0852318ad..f149335e36 100644
--- a/windows/manage/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/manage/manage-windows-10-in-your-organization-modern-management.md
@@ -81,7 +81,7 @@ You can envision user and device management as falling into these two categories
Domain joined PCs and tablets can continue to be managed with the [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) client or Group Policy.
-For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-windows10-devices/).
+For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/).
As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
diff --git a/windows/manage/mandatory-user-profile.md b/windows/manage/mandatory-user-profile.md
index 698093e9a1..6664e2d2aa 100644
--- a/windows/manage/mandatory-user-profile.md
+++ b/windows/manage/mandatory-user-profile.md
@@ -60,7 +60,7 @@ First, you create a default user profile with the customizations that you want,
3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
-3. Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) cmdlet in Windows PowerShell to uninstall the following applications:
+3. For devices running Windows 10, use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) cmdlet in Windows PowerShell to uninstall the following applications:
- Microsoft.windowscommunicationsapps_8wekyb3d8bbwe
- Microsoft.BingWeather_8wekyb3d8bbwe
@@ -146,14 +146,14 @@ It may take some time for this change to replicate to all domain controllers.
## Apply policies to improve sign-in time
-When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the following Group Policy settings.
-
-- Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled
-- Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled
-- Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled
-
+When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.)
+| Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 |
+| --- | --- | --- | --- | --- |
+| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled |  |  |  |  |
+| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled |  |  |  |  |
+| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled |  |  |  |  |
diff --git a/windows/manage/start-layout-xml-desktop.md b/windows/manage/start-layout-xml-desktop.md
new file mode 100644
index 0000000000..1a48aaad33
--- /dev/null
+++ b/windows/manage/start-layout-xml-desktop.md
@@ -0,0 +1,492 @@
+---
+title: Start layout XML for desktop editions of Windows 10 (Windows 10)
+description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions.
+keywords: ["start screen"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Start layout XML for desktop editions of Windows 10 (reference)
+
+
+**Applies to**
+
+- Windows 10
+
+>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
+
+On Windows 10 for desktop editions, the customized Start works by:
+
+- Windows 10 checks the chosen base default layout, such as the desktop edition and whether Cortana is supported for the country/region.
+
+- Windows 10 reads the LayoutModification.xml file and allows groups to be appended to Start. The groups have the following constraints:
+ - 2 groups that are 6 columns wide, or equivalent to the width of 3 medium tiles.
+ - 2 medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row.
+ - No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows).
+
+## LayoutModification XML
+
+IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions.
+
+>[!NOTE]
+>To make sure the Start layout XML parser processes your file correctly, follow these guidelines when working with your LayoutModification.xml file:
+>- Do not leave spaces or white lines in between each element.
+>- Do not add comments inside the StartLayout node or any of its children elements.
+>- Do not add multiple rows of comments.
+
+The following table lists the supported elements and attributes for the LayoutModification.xml file.
+
+| Element | Attributes | Description |
+| --- | --- | --- |
+| LayoutModificationTemplate | xmlnsxmlns:defaultlayoutxmlns:startVersion | Use to describe the changes to the default Start layout |
+| [LayoutOptions](#layoutoptions)Parent:LayoutModificationTemplate | StartTileGroupsColumnCountFullScreenStart | Use to specify:- Whether to use full screen Start on the desktop- The number of tile columns in the Start menu |
+| RequiredStartGroupsCollectionParent:LayoutModificationTemplate | n/a | Use to contain collection of RequiredStartGroups |
+| [RequiredStartGroups](#requiredstartgroups)Parent:RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout |
+| [AppendGroup](#appendgroup)Parent:RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout |
+| [start:Tile](#specify-start-tiles)Parent:AppendGroup | AppUserModelIDSizeRowColumn | Use to specify any of the following:- A Universal Windows app- A Windows 8 or Windows 8.1 app |
+| start:DesktopApplicationTileParent:AppendGroup | DesktopApplicationIDDesktopApplicationLinkPathSizeRowColumn | Use to specify any of the following:- A Windows desktop application with a known AppUserModelID- An application in a known folder with a link in a legacy Start Menu folder- A Windows desktop application link in a legacy Start Menu folder- A Web link tile with an associated .url file that is in a legacy Start Menu folder |
+| start:SecondaryTileParent:AppendGroup | AppUserModelIDTileIDArgumentsDisplayNameSquare150x150LogoUriShowNameOnSquare150x150LogoShowNameOnWide310x150LogoWide310x150LogoUriBackgroundColorForegroundTextIsSuggestedAppSizeRowColumn | Use to pin a Web link through a Microsoft Edge secondary tile |
+| TopMFUAppsParent:LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area |
+| TileParent:TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID |
+| DesktopApplicationTileParent:TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID |
+| AppendOfficeSuiteParent:LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to StartDo not use this tag with AppendDownloadOfficeTile |
+| AppendDownloadOfficeTileParent:LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in StartDo not use this tag with AppendOfficeSuite |
+
+### LayoutOptions
+
+New devices running Windows 10 for desktop editions will default to a Start menu with 2 columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features:
+
+- Boot to tablet mode can be set on or off.
+- Set full screen Start on desktop to on or off.
+ To do this, add the LayoutOptions element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false.
+- Specify the number of columns in the Start menu to 1 or 2.
+ To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2.
+
+The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use 1 column in the Start menu:
+
+```XML
+
+
+
+## Add Update Compliance to Microsoft Operations Management Suite
+
+Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+
+If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace.
+
+If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
+
+1. Go to [Operations Management Suite’s page](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
+
+ Service Endpoint
+ Connected User Experience and Telemetry component v10.vortex-win.data.microsoft.com
+
settings-win.data.microsoft.com
+ Windows Error Reporting watson.telemetry.microsoft.com
+ Online Crash Analysis oca.telemetry.microsoft.com
+
+ 
+
+
+2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+
+
+ 
+
+
+3. Create a new OMS workspace.
+
+
+ 
+
+
+4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
+
+
+ 
+
+
+5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
+
+
+ 
+
+
+6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery.
+
+
+ 
+
+
+7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace.
+
+
+ 
+
+
+8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens.
+
+
+ 
+
+
+9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below.
+
+
+ 
+
+
+After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
+
+>You can unsubscribe from the Update Compliance solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
+
+## Deploy your Commercial ID to your Windows 10 devices
+
+In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
+
+- Using Group Policy
+ Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor.
+ 1. In the console tree, navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**
+ 2. Double-click **Configure the Commercial ID**
+ 3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.
+ Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).
+
+ For information on how to use MDM configuration CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/en-us/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
+
+ When using the Intune console, you can use the OMA-URI settings of a [custom policy](https://go.microsoft.com/fwlink/p/?LinkID=616316) to configure the commercial ID. The OMA-URI (case sensitive) path for configuring the commerical ID is: ./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID
+
+ For example, you can use the following values in **Add or edit OMA-URI Setting**:
+
+ **Setting Name**: Windows Analytics Commercial ID
+ **Setting Description**: Configuring commercial id for Windows Analytics solutions
+ **Data Type**: String
+ **OMA-URI (case sensitive)**: ./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID
+ **Value**: \
](images/ua-cg-15.png){kind=link}