Merge branch 'master' into bl-7475998

README.md

@@ -2,3 +2,5 @@
 This repo hosts the WDG ITPro content that is published to TechNet.
 
 This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
+
+English Handoff Folder Structure Demo!

browsers/edge/TOC.md

@@ -1,5 +1,5 @@
 #[Microsoft Edge - Deployment Guide for IT Pros](index.md)
-##[Change History for Microsoft Edge](change-history-for-microsoft-edge.md)
+##[Change history for Microsoft Edge](change-history-for-microsoft-edge.md)
 ##[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)
 ##[Available policies for Microsoft Edge](available-policies.md)
 ##[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md)

browsers/edge/change-history-for-microsoft-edge.md

@@ -9,6 +9,8 @@ ms.sitesec: library
 # Change history for Microsoft Edge
 This topic lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile.
 
+For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/en-us/microsoft-edge/platform/changelog/).
+
 ## June 2016
 |New or changed topic | Description |
 |----------------------|-------------|

browsers/edge/emie-to-improve-compatibility.md

@@ -14,8 +14,6 @@ title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros)
 **Applies to:**
 
 -   Windows 10
--   Windows 10 Mobile
-
 
 If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.
 

devices/surface-hub/TOC.md

@@ -19,7 +19,7 @@
 ### [Manage Microsoft Surface Hub](manage-surface-hub.md)
 #### [Accessibility](accessibility-surface-hub.md)
 #### [Change the Surface Hub device account](change-surface-hub-device-account.md)
-#### [Device reset](device-reset-suface-hub.md)
+#### [Device reset](device-reset-surface-hub.md)
 #### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md)
 #### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
 #### [Manage settings with a local admin account](manage-settings-with-local-admin-account-surface-hub.md)

devices/surface-hub/create-a-device-account-using-office-365.md

@@ -29,7 +29,7 @@ If you prefer to use a graphical user interface, you can create a device account
 1.  Sign in to Office 365 by visiting http://portal.office.com/admin/
 2.  Provide the admin credentials for your Office 365 tenant. This will take you to your Office 365 Admin Center.
 
-    ![office 365 admin center. ](images/setupdeviceaccto365-02.png)
+    ![Office 365 admin center.](images/setupdeviceaccto365-02.png)
 
 3.  Once you are at the Office 365 Admin Center, navigate to **Users** in the left panel, and then click **Active Users**.
 
@@ -43,7 +43,7 @@ If you prefer to use a graphical user interface, you can create a device account
 
 5.  Once the account has been successfully created, click **Close** on the resulting dialog box, and you will see the admin center Active Users list again.
 
-    ![confirmation screen for creating a new account. ](images/setupdeviceaccto365-05.png)
+    ![Confirmation screen for creating a new account.](images/setupdeviceaccto365-05.png)
 
 6.  Select the user you just created from the **Active Users** list. You need to disable the Skype for Business license, because you can’t create a Skype Meeting Room with this option.
 
@@ -51,7 +51,7 @@ If you prefer to use a graphical user interface, you can create a device account
 
     In the right panel you can see the account properties and several optional actions. The process so far has created a regular Skype account for this user, which you need to disable. Click **Edit** for the **Assigned license** section, then click the dropdown arrow next to the license to expand the details.
 
-    ![assign license for skype for business online.](images/setupdeviceaccto365-07.png)
+    ![assign license for Skype for Business online.](images/setupdeviceaccto365-07.png)
 
     From the list, uncheck **Skype for Business Online (plan 2)** (this license may vary depending on your organization), and click **SAVE**.
 
@@ -59,39 +59,39 @@ If you prefer to use a graphical user interface, you can create a device account
 
 1.  In the Office 365 Admin Center’s left panel, click **ADMIN**, and then click **Exchange**.
 
-    ![office 365 admin center, showing exchange active users. ](images/setupdeviceaccto365-08.png)
+    ![Office 365 admin center, showing exchange active users.](images/setupdeviceaccto365-08.png)
 
 2.  This will open another tab on your browser to take you to the Exchange Admin Center, where you can create and set the Mailbox Setting for Surface Hub.
 
-    ![exchange admin center. ](images/setupdeviceaccto365-09.png)
+    ![Exchange admin center.](images/setupdeviceaccto365-09.png)
 
 3.  To create a Mobile Device Mailbox Policy, click **Mobile** from the left panel and then click **Mobile device mailbox policies**. Surface Hubs require an account with a mobile device mailbox policy that does not require a password, so if you already have an existing policy that matches this requirement, you can apply that policy to the account. Otherwise use the following steps to create a new one to be used only for Surface Hub device accounts.
 
-    ![excahnge admin center - creating a mobile device mailbox policy. ](images/setupdeviceaccto365-10.png)
+    ![Excahnge admin center - creating a mobile device mailbox policy.](images/setupdeviceaccto365-10.png)
 
 4.  To create a New Surface Hub mobile device mailbox policy, click the **+** button from the controls above the list of policies to add a new policy. For the name, provide a name that will help you distinguish this policy from other device accounts (for example, *SurfaceHubDeviceMobilePolicy*). Make sure the policy does not require a password for the devices assigned to, so make sure **Require a Password** remains unchecked, then click **Save**.
 
-    ![image showing new mobile device policy](images/setupdeviceaccto365-11.png)
+    ![Image showing new mobile device policy.](images/setupdeviceaccto365-11.png)
 
 5.  After you have created the new mobile device mailbox policy, go back to the **Exchange Admin Center** and you will see the new policy listed.
 
-    ![image with new mobile device mailbox policy in exchange admin center. ](images/setupdeviceaccto365-12.png)
+    ![Image with new mobile device mailbox policy in Exchange admin center.](images/setupdeviceaccto365-12.png)
 
 6.  Now, to apply the ActiveSync policy without using PowerShell, you can do the following: In the EAC, click **Recipients** > **Mailboxes** and then select a mailbox.
 
-    ![image showing mailbox in exchange admin center. ](images/setupdeviceaccto365-13.png)
+    ![Image showing mailbox in Exchange admin center.](images/setupdeviceaccto365-13.png)
 
 7.  In the Details pane, scroll to **Phone and Voice Features** and click **View details** to display the **Mobile Device Details** screen.
 
-    ![image showing mobile device details for the mailbox. ](images/setupdeviceaccto365-14.png)
+    ![Image showing mobile device details for the mailbox.](images/setupdeviceaccto365-14.png)
 
 8.  The mobile device mailbox policy that’s currently assigned is displayed. To change the mobile device mailbox policy, click **Browse**.
 
-    ![image with details for the mobile device policy. ](images/setupdeviceaccto365-15.png)
+    ![Image with details for the mobile device policy.](images/setupdeviceaccto365-15.png)
 
 9.  Choose the appropriate mobile device mailbox policy from the list, click **OK** and then click **Save**.
 
-    ![image showing multiple mobile device mailbox policies. ](images/setupdeviceaccto365-16.png)
+    ![Image showing multiple mobile device mailbox policies.](images/setupdeviceaccto365-16.png)
 
 ### <a href="" id="create-device-acct-o365-complete-acct"></a>Use PowerShell to complete device account creation
 
@@ -107,11 +107,11 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
 
 1.  Run Windows PowerShell as Administrator.
 
-    ![image showing how to start windows powershell and run as administrator. ](images/setupdeviceaccto365-17.png)
+    ![Image showing how to start Windows PowerShell and run as administrator.](images/setupdeviceaccto365-17.png)
 
 2.  Create a Credentials object, then create a new session that connects to Skype for Business Online, and provide the global tenant administrator account, then click **OK**.
 
-    ![image for windows powershell credential request. ](images/setupdeviceaccto365-18.png)
+    ![Image for Windows PowerShell credential request. ](images/setupdeviceaccto365-18.png)
 
 3.  To connect to Microsoft Online Services, run:
 
@@ -119,7 +119,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
     Connect-MsolService -Credential $Cred
     ```
 
-    ![image showing powershell cmdlet.](images/setupdeviceaccto365-19.png)
+    ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-19.png)
 
 4.  Now to connect to Skype for Business Online Services, run:
 
@@ -127,7 +127,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
     $sfbsession = New-CsOnlineSession -Credential $cred
     ```
 
-    ![image showing powershell cmdlet.](images/setupdeviceaccto365-20.png)
+    ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-20.png)
 
 5.  Finally, to connect to Exchange Online Services, run:
 
@@ -136,7 +136,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
     "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" –AllowRedirection
     ```
 
-    ![image showing powershell cmdlet.](images/setupdeviceaccto365-21.png)
+    ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-21.png)
 
 6.  Now you have to import the Skype for Business Online Session and the Exchange Online session you have just created, which will import the Exchange and Skype Commands so you can use them locally.
 
@@ -147,7 +147,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
 
     Note that this could take a while to complete.
 
-    ![image showing powershell cmdlet.](images/setupdeviceaccto365-22.png)
+    ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-22.png)
 
 7.  Once you’re connected to the online services you need to run a few more cmdlets to configure this account as a Surface Hub device account.
 
@@ -180,11 +180,11 @@ Now that you're connected to the online services, you can finish setting up the
 
     You will see the correct email address.
 
-    ![image showing powershell cmdlet.](images/setupdeviceaccto365-23.png)
+    ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-23.png)
 
 2.  You need to convert the account into to a room mailbox, so run:
 
-    ![image showing powershell cmdlet.](images/setupdeviceaccto365-24.png)
+    ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-24.png)
 
     ``` syntax
     Set-Mailbox $strEmail -Type Room
@@ -196,7 +196,7 @@ Now that you're connected to the online services, you can finish setting up the
     Set-Mailbox $strEmail -RoomMailboxPassword (ConvertTo-SecureString  -String "<your password>" -AsPlainText -Force) -EnableRoomMailboxAccount $true
     ```
 
-    ![image showing powershell cmdlet.](images/setupdeviceaccto365-25.png)
+    ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-25.png)
 
 4.  Various Exchange properties can be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
 
@@ -205,7 +205,7 @@ Now that you're connected to the online services, you can finish setting up the
     Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
     ```
 
-    ![image showing powershell cmdlet.](images/setupdeviceaccto365-26.png)
+    ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-26.png)
 
 5.  If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
 
@@ -260,11 +260,11 @@ You can use the Exchange Admin Center to create a device account:
 1.  Sign in to your Exchange Admin Center using Exchange admin credentials.
 2.  Once you are at the Exchange Admin Center (EAC), navigate to **Recipients** in the left panel.
 
-    ![image showing mailboxes in exchange admin center. ](images/setupdeviceacctexch-01.png)
+    ![Image showing mailboxes in Exchange admin center.](images/setupdeviceacctexch-01.png)
 
 3.  On the controls above the list of mailboxess, choose **+** to create a new one, and provide a **Display name**, **Name**, and **User logon name**, and then click **Save**.
 
-    ![image showing creating a new mailbox. ](images/setupdeviceacctexch-02.png)
+    ![Image showing creating a new mailbox.](images/setupdeviceacctexch-02.png)
 
 ### <a href="" id="create-device-acct-exch-mbx-policy"></a>Create a mobile device mailbox policy from the Exchange Admin Center
 
@@ -274,19 +274,19 @@ You can use the Exchange Admin Center to create a device account:
 
 1.  Go to the Exchange Admin Center.
 
-    ![image showing exchange admin center. ](images/setupdeviceacctexch-03.png)
+    ![Image showing Exchange admin center.](images/setupdeviceacctexch-03.png)
 
 2.  To create a mobile device mailbox policy, click **Mobile** from the left panel, then **Mobile device mailbox policies**. Surface Hubs require an account with a mobile device mailbox policy that does not require a password, so if you already have an existing policy that matches this requirement, you can apply that policy to the account. Otherwise use the following steps to create a new one to be used only for Surface Hub device accounts.
 
-    ![image showing using exchange admin center to create a mobile device mailbox policy. ](images/setupdeviceacctexch-05.png)
+    ![Image showing using Exchange admin center to create a mobile device mailbox policy.](images/setupdeviceacctexch-05.png)
 
 3.  To create a new mobile device account mailbox policy, click the **+** button from the controls above the list of policies to add a new policy. For the name provide a name that will help you distinguish this policy from other device accounts (for example, *SurfaceHubDeviceMobilePolicy*). The policy must not be password-protected, so make sure **Require a Password** remains unchecked, then click **Save**.
 
-    ![image showing new mobile device mailbox policy. ](images/setupdeviceacctexch-06.png)
+    ![Image showing new mobile device mailbox policy.](images/setupdeviceacctexch-06.png)
 
 4.  After you have created the new mobile device mailbox policy, go back to the Exchange Admin Center and you will see the new policy listed.
 
-    ![image showing new mobile device mailbox policy in exchange admin center. ](images/setupdeviceacctexch-07.png)
+    ![Image showing new mobile device mailbox policy in Exchange admin center.](images/setupdeviceacctexch-07.png)
 
 5.  To apply the ActiveSync policy without using PowerShell, you can do the following:
 

devices/surface-hub/create-and-test-a-device-account-surface-hub.md

@@ -116,7 +116,7 @@ You can check online for updated versions at [Surface Hub device account scripts
 
 Your infrastructure will likely fall into one of three configurations. Which configuration you have will affect how you prepare for device setup.
 
-![](images/deploymentoptions-01.png)
+![Image showing deployment options: online, on-premises, or hybrid.](images/deploymentoptions-01.png)
 
 -   [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md): Your organization’s environment is deployed entirely on Office 365.
 -   [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md): Your organization has servers that it controls, where Active Directory, Exchange, and Skype for Business (or Lync) are hosted.

devices/surface-hub/device-reset-suface-hub.md

@@ -2,6 +2,7 @@
 title: Device reset (Surface Hub)
 description: You may wish to reset your Microsoft Surface Hub.
 ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF
+redirect_url: https://technet.microsoft.com/en-us/itpro/surface-hub/device-reset-surface-hub
 keywords: reset Surface Hub
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -27,7 +28,10 @@ Initiating a reset will return the device to the last cumulative Windows update,
 -   MDM enrollment
 -   Domain join or Azure AD join information
 -   Local admins on the device
--   Configurations from MDM or the Settings app.
+-   Configurations from MDM or the Settings app
+
+**Important Note**</br>
+Performing a device reset may take up to 6 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
 
 After the reset, you'll be taken through the [first run program](first-run-program-surface-hub.md) again.
 

devices/surface-hub/device-reset-surface-hub.md

@@ -0,0 +1,55 @@
+---
+title: Device reset (Surface Hub)
+description: You may wish to reset your Microsoft Surface Hub.
+ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF
+keywords: reset Surface Hub
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+---
+
+# Device reset (Surface Hub)
+
+
+You may wish to reset your Microsoft Surface Hub.
+
+Typical reasons for a reset include:
+
+-   The device isn’t running well after installing an update.
+-   You’re repurposing the device for a new meeting space and want to reconfigure it.
+-   You want to change how you locally manage the device.
+
+Initiating a reset will return the device to the last cumulative Windows update, and remove all local user files and configuration, including:
+
+-   The device account
+-   MDM enrollment
+-   Domain join or Azure AD join information
+-   Local admins on the device
+-   Configurations from MDM or the Settings app
+
+**To reset a Surface Hub**
+1.	On your Surface Hub, open **Settings**. 
+
+    ![Image showing Settings app for Surface Hub.](images/sh-settings.png)
+ 
+2.	Click **Update & Security**.
+
+    ![Image showing Update & Security group in Settings app for Surface Hub.](images/sh-settings-update-security.png)
+ 
+3.	Click **Recovery**, and then click **Get started**.
+
+    ![Image showing Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png) 
+
+**Important Note**</br>
+Performing a device reset may take up to 6 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
+
+After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again. 
+
+## Related topics
+
+
+[Manage Microsoft Surface Hub](manage-surface-hub.md)
+
+[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)

devices/surface-hub/first-run-program-surface-hub.md

@@ -46,7 +46,7 @@ This is the first screen you'll see when you power up the Surface Hub for the fi
 
  
 
-![icd options checklist](images/setuplocale.png)
+![Image showing ICD options checklist.](images/setuplocale.png)
 
 ### Details
 
@@ -72,7 +72,7 @@ If no wired connection can be found, then the device will attempt to set up a wi
 
 If your device does not detect a wired connection that it can use to connect to a network or the Internet, you will see this page. Here you can either connect to a wireless network, or skip making the network connection.
 
-![](images/setupnetworksetup-1.png)
+![Image shoring Network setup page.](images/setupnetworksetup-1.png)
 
 ### Details
 
@@ -97,7 +97,7 @@ If you want to connect to a secured wireless network from this page, click on th
 
 This page will be shown when you've selected a secured wireless network.
 
-![](images/setupnetworksetup-3.png)
+![Image showing wireless network setup page.](images/setupnetworksetup-3.png)
 
 ### Details
 
@@ -121,11 +121,11 @@ This page will be shown when the device detects a wired connection with limited
 
 -   You can select **Enter proxy settings** which will allow you to specify how to use the network proxy. You'll be taken to the next screen.
 
-![](images/setupnetworksetup-2.png)
+![Image showing network proxy page.](images/setupnetworksetup-2.png)
 
 This is the screen you'll see if you clicked **Enter proxy settings** on the previous screen.
 
-![](images/setupnetworksetup-4.png)
+![Image showing proxy server setting details.](images/setupnetworksetup-4.png)
 
 ### Details
 
@@ -149,7 +149,7 @@ You can skip connecting to a network by selecting **Skip this step**. You'll be
 
 This screen is purely informational, and shows which recommended settings have been enabled by default.
 
-![](images/setupsetupforyou.png)
+![Image showing set up for you page.](images/setupsetupforyou.png)
 
 ### Details
 
@@ -170,7 +170,7 @@ On this page, the Surface Hub will ask for credentials for the device account th
 
  
 
-![icd options checklist](images/setupdeviceacct.png)
+![Image showing Enter device account info page.](images/setupdeviceacct.png)
 
 ### Details
 
@@ -192,7 +192,7 @@ If you skip setting it up now, you can add a device account later by using the S
 
 If you click **Skip setting up a device account**, the device will display a dialog box showing what will happen if the device doesn't have a device account. If you choose **Yes, skip this**, you will be sent to the [Name this device page](#name-this-device).
 
-![icd options checklist](images/setupskipdeviceacct.png)
+![Image showing message the is displaed to confirm you want to skip creating a device account.](images/setupskipdeviceacct.png)
 
 ### What happens?
 
@@ -211,7 +211,7 @@ The device will use the UPN or DOMAIN\\User name and password for the device acc
 
 This page will only be shown if there's a problem. Typically, it means that the device account that you provided was found in Active Directory (AD) or Azure Active Directory (Azure AD), but the Exchange server for the account was not discovered.
 
-![icd options checklist](images/setupexchangeserver-01.png)
+![Image showing Exchange server page.](images/setupexchangeserver-01.png)
 
 ### Details
 
@@ -230,7 +230,7 @@ You can enable Exchange services for a device account later by using the Setting
 
 If you click **Skip setting up Exchange services**, the device will display a dialog showing what will happen. If you choose **Yes, skip this**, then Exchange services will not be set up.
 
-![icd options checklist](images/setupexchangeserver-02.png)
+![Image showing confirmation message that is displayed when you skip setting up Exchange services.](images/setupexchangeserver-02.png)
 
 ### What happens?
 
@@ -249,7 +249,7 @@ This page will be shown when:
 -   Exchange supported protocols are not supported by the Surface Hub.
 -   Exchange returns incorrect XML.
 
-![icd options checklist](images/setupexchangepolicies.png)
+![Image showing Exchange policis page.](images/setupexchangepolicies.png)
 
 ### Details
 
@@ -273,7 +273,7 @@ If you choose to skip this check, the Surface Hub will stop looking for the Exch
 
 This page asks you to provide two names that will be used for identifying the Surface Hub.
 
-![icd options checklist](images/setupnamedevice.png)
+![Image showing Name this device page.](images/setupnamedevice.png)
 
 ### Details
 
@@ -307,7 +307,7 @@ Because every Surface Hub can be used by any number of authenticated employees,
 
  
 
-![icd options checklist](images/setupsetupadmins.png)
+![Image showing Set up admins for this device page.](images/setupsetupadmins.png)
 
 ### Details
 
@@ -348,7 +348,7 @@ Joining Azure AD has two primary benefits:
 1.  Some employees from your organization will be able to access the device as admins, and will be able to start the Settings app and configure the device. People that have admin permissions will be defined in your Azure AD subscription.
 2.  If your Azure AD is connected to a mobile device management (MDM) solution, the device will enroll with that MDM solution so you can apply policies and configuration.
 
-![](images/setupjoiningazuread-1.png)
+![Image showing message when you join your Surface Hub to Azure Active Directory.](images/setupjoiningazuread-1.png)
 
 ### Details
 
@@ -357,11 +357,11 @@ The following input is required:
 -   **User's UPN:** The user principal name (UPN) of an account that can join Azure AD.
 -   **Password:** The password of the account you’re using to join Azure AD.
 
-![](images/setupjoiningazuread-2.png)
+![Image showing account log in info.](images/setupjoiningazuread-2.png)
 
 If you get to this point and don't have valid credentials for an Azure AD account, the device will allow you to continue by creating a local admin account. Click **Set up Windows with a local account instead**.
 
-![](images/setupjoiningazuread-3.png)
+![Image showing Set up an admin account page.](images/setupjoiningazuread-3.png)
 
 ### What happens?
 
@@ -373,7 +373,7 @@ This page will ask for credentials to join a domain so that the Surface Hub can
 
 Once the device has been domain joined, you must specify a security group from the domain you joined. This security group will be provisioned as administrators on the Surface Hub, and anyone from the security group can enter their domain credentials to access Settings.
 
-![icd options checklist](images/setupdomainjoin.png)
+![Image showing Set up admins using domain join page.](images/setupdomainjoin.png)
 
 ### Details
 
@@ -385,7 +385,7 @@ The following input is required:
 
 After the credentials are verified, you will be asked to type a security group name. This input is required.
 
-![icd options checklist](images/setupsecuritygroup-1.png)
+![Image showing Enter a security group page.](images/setupsecuritygroup-1.png)
 
 ### What happens?
 
@@ -401,7 +401,7 @@ If the join is successful, you'll see the **Enter a security group** page. When
 
 If you decide not to use Azure Active Directory (Azure AD) or Active Directory (AD) to manage the Surface Hub, you'll need to create a local admin account.
 
-![](images/setuplocaladmin.png)
+![Image showing Set up an admin account for local admin.](images/setuplocaladmin.png)
 
 ### Details
 

devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md

@@ -21,17 +21,17 @@ Use this procedure if you use Exchange on-prem.
     - In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**.
     - Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.<p>
     
-        ![new object box for creating a new user in active directory](images/hybriddeployment-01a.png)
+        ![New object box for creating a new user in active directory.](images/hybriddeployment-01a.png)
 
     - Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
 
         >**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
 
-        ![image showing password dialog box](images/hybriddeployment-02a.png)
+        ![Image showing password dialog box.](images/hybriddeployment-02a.png)
         
     -   Click **Finish** to create the account.
 
-        ![image with account name, logon name, and password options for new user](images/hybriddeployment-03a.png)
+        ![Image with account name, logon name, and password options for new user.](images/hybriddeployment-03a.png)
 
 2.  After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online.
 
@@ -223,17 +223,17 @@ Use this procedure if you use Exchange online.
     - In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**.
     - Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.
 
-        ![new object box for creating a new user in active directory](images/hybriddeployment-01a.png)
+        ![New object box for creating a new user in Active Directory.](images/hybriddeployment-01a.png)
 
     - Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
     
         >**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
     
-        ![image showing password dialog box](images/hybriddeployment-02a.png)
+        ![Image showing password dialog box.](images/hybriddeployment-02a.png)
     
     - Click **Finish** to create the account.
 
-        ![image with account name, logon name, and password options for new user](images/hybriddeployment-03a.png)
+        ![Image with account name, logon name, and password options for new user.](images/hybriddeployment-03a.png)
 
 6.  Directory synchronization.
 

devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md

@@ -30,7 +30,7 @@ If you joined your Surface Hub to an Azure Active Directory (Azure AD) subscript
 
 Alternatively, the device can be enrolled like any other Windows device by going to **Settings** > **Accounts** > **Work access**.
 
-![image showing enroll in device maagement page. ](images/managesettingsmdm-enroll.png)
+![Image showing enroll in device maagement page.](images/managesettingsmdm-enroll.png)
 
 ### Manage a device through MDM
 

devices/surface-hub/prepare-your-environment-for-surface-hub.md

@@ -29,7 +29,7 @@ In order to function properly, the Surface Hub must have access to a wired or wi
 -   Can receive an IP address using DHCP
 -   Open ports:
     -   HTTPS: 443
-    -   HTTP: 8080
+    -   HTTP: 80
 
 A wired connection is preferred.
 
@@ -79,7 +79,7 @@ In order to ensure that your environment is ready for the Surface Hub, verify th
     -   It must have these ports open:
 
         -   HTTPS: 443
-        -   HTTP: 8080
+        -   HTTP: 80
 
         If your network runs through a proxy, you'll need the proxy address or script information as well.
 

devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md

@@ -58,9 +58,7 @@ In order to create and deploy provisioning packages, all of the following are re
 ### <a href="" id="installing-wicd-prov-pkg"></a>Install the Windows Imaging and Configuration Designer
 
 1.  The Windows Imaging and Configuration Designer (ICD) is installed as part of the Windows 10 ADK. The installer for the ADK can be downloaded from the [Microsoft Download Center](http://go.microsoft.com/fwlink/?LinkId=718147).
-    >**Note**  The ADK must be installed on a separate PC, not on the Surface Hub.
-
-     
+    >**Note**  The ADK must be installed on a separate PC, not on the Surface Hub.  
 
 2.  Run the installer, and set your preferences for installation. When asked what features you want to install, you will see a checklist like the one in the following figure. Note that **Windows Performance Toolkit** and **Windows Assessment Toolkit** should be unchecked, as they are not needed to run the ICD.
 
@@ -73,7 +71,7 @@ In order to create and deploy provisioning packages, all of the following are re
 
     All four of these features are required to run the ICD and create a package for the Surfact Hub.
 
-    ![icd options checklist](images/idcfeatureschecklist.png)
+    ![Image showing Windows ADK install page - select features to install.](images/idcfeatureschecklist.png)
 
 3.  Continue with the installer until the ADK is installed. This may take a while, because the installer downloads remote content.
 
@@ -83,29 +81,29 @@ This example will demonstrate how to create a provisioning package to install a
 
 1.  On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu.
 
-    ![icd tiles](images/wicd-screen01a.png)
+    ![Image showing Start page in Windows Imaging and Configuration Designer.](images/wicd-screen01a.png)
 
 2.  When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**.
 
-    ![icd tiles](images/wicd-screen02a.png)
+    ![Image showing New project screen for Windows Imaging and Configuration Designer.](images/wicd-screen02a.png)
 
     Select the settings that are **Common to all Windows editions**, and click **Next**.
 
-    ![icd tiles](images/wicd-screen02b.png)
+    ![Image showing project settings in Windows Imaging and Configuration Designer.](images/wicd-screen02b.png)
 
     When asked to import a provisioning package, just click **Finish.**
 
-    ![icd tiles](images/wicd-screen02c.png)
+    ![Image showing option for importing a provisioning package.](images/wicd-screen02c.png)
 
 3.  ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **Runtime settings** and then expand **Certificates**. Click **Root certificates**.
 
-    ![icd tiles](images/wicd-screen03a.png)
+    ![Image showing Windows Imaging and Configuration Designer's man page.](images/wicd-screen03a.png)
 
     In the center pane, you’ll be asked to specify a **CertificateName** for the Root certificate. You can set this to whatever you want. For the example, we've used the same name as the project. Click **Add**, and an entry will be added in the left pane.
 
 4.  In the **Available customizations** pane on the left, a new category has appeared for **CertificatePath** underneath the **CertificateName** you provided. There’s also a red exclamation icon indicating that there is a required field that needs to be set. Click **CeritficatePath**.
 
-    ![icd tiles](images/wicd-screen04a.png)
+    ![Image showing available customizations in Windows Imaging and Configuration Designer.](images/wicd-screen04a.png)
 
 5.  In the center pane, you’ll be asked to specify the path for the certificate. Enter the name of the .cer file that you want to deploy, either by typing or clicking **Browse**. It must be a root certificate. The provisioning package created will copy the .cer file into the package it creates.
 
@@ -238,15 +236,15 @@ The following two methods for deploying provisioning packages apply to any kind
 3.  Navigate to **System &gt; Work Access**. Under the header **Related settings**, click on **Add or remove a management package**.
 4.  Here, click the button for **Add a package**.
 
-    ![](images/provisioningpackagesettings-01.png)
+    ![Image showing provisioining packages page in Settings.](images/provisioningpackagesettings-01.png)
 
 5.  Click **Removable media** from the dropdown list. You will see a list of available provisioning packages on the **Settings** page.
 
-    ![](images/provisioningpackagesettings-02.png)
+    ![Image showing add a package page in Settings.](images/provisioningpackagesettings-02.png)
 
 6.  Choose your package and click **Add**.
 
-    ![](images/provisioningpackagesettings-03.png)
+    ![Image showing select a package box.](images/provisioningpackagesettings-03.png)
 
 7.  You may have to re-enter the admin credentials if User Access Control (UAC) asks for them.
 8.  You’ll see a confirmation dialog box. Click **Yes, add it**. The certificate will be installed.

devices/surface-hub/use-room-control-system-with-surface-hub.md

@@ -68,7 +68,7 @@ You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial
 
 This diagram shows the correct pinout used for an RJ-11 (6P6C) to DB9 cable.
 
-![image showing the wiring diagram.](images/room-control-wiring-diagram.png)
+![Image showing the wiring diagram.](images/room-control-wiring-diagram.png)
 
 ## Command sets
 

devices/surface-hub/wireless-network-management-for-surface-hub.md

@@ -25,33 +25,33 @@ If a wired network connection is not available, the Surface Hub can use a wirele
 1.  On the Surface Hub, open **Settings** and enter your admin credentials.
 2.  Click **System**, and then click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**.
 
-    ![](images/networkmgtwireless-01.png)
+    ![Image showing Wi-Fi settings, Network & Internet page.](images/networkmgtwireless-01.png)
 
 3.  If the network is secured, you'll be asked to enter the security key. Click **Next** to connect.
 
-    ![](images/networkmgtwireless-02.png)
+    ![Image showing security key and password prompts for connecting to secured Wi-Fi.](images/networkmgtwireless-02.png)
 
 ### Review wireless settings
 
 1.  On the Surface Hub, open **Settings** and enter your admin credentials.
 2.  Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**.
 
-    ![](images/networkmgtwireless-03.png)
+    ![Image showing where to find Advanced options for Network & Internect, Wi-Fi settings.](images/networkmgtwireless-03.png)
 
 3.  The system will show you the properties for the wireless network connection.
 
-    ![](images/networkmgtwireless-04.png)
+    ![Image showing properties for connected Wi-Fi.](images/networkmgtwireless-04.png)
 
 ### Review wired settings
 
 1.  On the Surface Hub, open **Settings** and enter your admin credentials.
 2.  Click **System**, click **Network & Internet**, then click on the network under Ethernet.
 
-    ![](images/networkmgtwired-01.png)
+    ![Image showing Network & Internet, Ethernet settings page.](images/networkmgtwired-01.png)
 
 3.  The system will show you the properties for the wired network connection.
 
-    ![](images/networkmgtwired-02.png)
+    ![Image showing properties for ethernet connection.](images/networkmgtwired-02.png)
 
 ## Related topics
 

devices/surface/TOC.md

@@ -13,4 +13,7 @@
 ### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
 ## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
 ## [Surface Dock Updater](surface-dock-updater.md)
+## [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
+### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
+### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
 

devices/surface/deploy-surface-app-with-windows-store-for-business.md

@@ -81,6 +81,8 @@ Figure 5 shows the required frameworks for the Surface app.
 
 *Figure 5. Required frameworks for the Surface app*
 
+>**Note:**  The version numbers of the Surface app and required frameworks will change as the apps are updated. Check for the latest version of Surface app and each framework in Windows Store for Business. Always use the Surface app and recommended framework versions as provided by Windows Store for Business. Using outdated frameworks or the incorrect versions may result in errors or application crashes.
+
 To download the required frameworks for the Surface app, follow these steps:
 1.	Click the **Download** button under **Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe**. This downloads the Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe.Appx file to your specified folder.
 2.	Click the **Download** button under **Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe**. This downloads the Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe.Appx file to your specified folder.

devices/surface/enroll-and-configure-surface-devices-with-semm.md

@@ -0,0 +1,135 @@
+---
+title: Enroll and configure Surface devices with SEMM (Surface)
+description: Learn how to create a Surface UEFI configuration package to control the settings of Surface UEFI, as well as enroll a Surface device in SEMM.
+keywords: surface enterprise management
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices, security
+ms.sitesec: library
+author: jobotto
+---
+
+# Enroll and configure Surface devices with SEMM
+
+With Microsoft Surface Enterprise Management Mode (SEMM), you can securely configure the settings of Surface UEFI on a Surface device and manage those settings on Surface devices in your organization. When a Surface device is managed by SEMM, that device is considered to be *enrolled* (sometimes referred to as activated). This article shows you how to create a Surface UEFI configuration package that will not only control the settings of Surface UEFI, but will also enroll a Surface device in SEMM.
+
+For a more high-level overview of SEMM, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode).
+
+#### Download and install Microsoft Surface UEFI Configurator
+The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page in the Microsoft Download Center.
+Run the Microsoft Surface UEFI Configurator Windows Installer (.msi) file to start the installation of the tool. When the installer completes, find Microsoft Surface UEFI Configurator in the All Apps section of your Start menu.
+
+>**Note**:  Microsoft Surface UEFI Configurator is supported only on Windows 10.
+
+## Create a Surface UEFI configuration package
+
+The Surface UEFI configuration package performs both the role of applying a new configuration of Surface UEFI settings to a Surface device managed with SEMM and the role of enrolling Surface devices in SEMM. The creation of a configuration package requires you to have a signing certificate to be used with SEMM to secure the configuration of UEFI settings on each Surface device. For more information about the requirements for the SEMM certificate, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode).
+
+To create a Surface UEFI configuration package, follow these steps:
+
+1. Open Microsoft Surface UEFI Configurator from the Start menu.
+2. Click **Start**.
+3. Click **Configuration Package**, as shown in Figure 1.
+
+   ![Create a package for SEMM enrollment](images\surface-semm-enroll-fig1.png "Create a package for SEMM enrollment")
+
+   *Figure 1. Select Configuration Package to create a package for SEMM enrollment and configuration*
+
+4. Click **Certificate Protection** to add your exported certificate file with private key (.pfx), as shown in Figure 2. Browse to the location of your certificate file, select the file, and then click **OK**.
+
+   ![Add the SEM certificate and Surface UEFI password to configuration package](images\surface-semm-enrollment-fig2.png "Add the SEM certificate and Surface UEFI password to configuration package")
+
+   *Figure 2. Add the SEMM certificate and Surface UEFI password to a Surface UEFI configuration package*
+
+5. When you are prompted to confirm the certificate password, enter and confirm the password for your certificate file, and then click **OK**.
+6. Click **Password Protection** to add a password to Surface UEFI. This password will be required whenever you boot to UEFI. If this password is not entered, only the **PC information**, **About**, **Enterprise management**, and **Exit** pages will be displayed. This step is optional.
+7. When you are prompted, enter and confirm your chosen password for Surface UEFI, and then click **OK**. If you want to clear an existing Surface UEFI password, leave the password field blank.
+8. If you do not want the Surface UEFI package to apply to a particular device, on the **Choose which Surface type you want to target** page, click the slider beneath the corresponding Surface Book or Surface Pro 4 image so that it is in the **Off** position. (As shown in Figure 3.)
+
+   ![Choose devices for package compatibility](images\surface-semm-enroll-fig3.png "Choose devices for package compatibility")
+
+   *Figure 3. Choose the devices for package compatibility*
+
+9. Click **Next**.
+10. If you want to deactivate a component on managed Surface devices, on the **Choose which components you want to activate or deactivate** page, click the slider next to any device or group of devices you want to deactivate so that the slider is in the **Off** position. (Shown in Figure 4.) The default configuration for each device is **On**. Click the **Reset** button if you want to return all sliders to the default position.
+
+   ![Disable or enable Surface components](images\surface-semm-enroll-fig4.png "Disable or enable Surface components")
+
+   *Figure 4. Disable or enable individual Surface components*
+
+11.	Click **Next**.
+12.	To enable or disable advanced options in Surface UEFI or the display of Surface UEFI pages, on the **Choose the advanced settings for your devices** page, click the slider beside the desired setting to configure that option to **On** or **Off** (shown in Figure 5). In the **UEFI Front Page** section, you can use the sliders for **Security**, **Devices**, and **Boot** to control what pages are available to users who boot into Surface UEFI. (For more information about Surface UEFI settings, see [Manage Surface UEFI settings](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-uefi-settings).) Click **Build** when you have finished selecting options to generate and save the package.
+
+   ![Control advanced Surface UEFI settings and Surface UEFI pages](images\surface-semm-enroll-fig5.png "Control advanced Surface UEFI settings and Surface UEFI pages")
+
+   *Figure 5. Control advanced Surface UEFI settings and Surface UEFI pages with SEMM*
+
+13.	In the **Save As** dialog box, specify a name for the Surface UEFI configuration package, browse to the location where you would like to save the file, and then click **Save**.
+14.	When the package is created and saved, the **Successful** page is displayed.
+
+>**Note**:  Record the certificate thumbprint characters that are displayed on this page, as shown in Figure 6. You will need these characters to confirm enrollment of new Surface devices in SEMM. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator.
+
+![Display of certificate thumbprint characters](images\surface-semm-enroll-fig6.png "Display of certificate thumbprint characters")
+
+*Figure 6. The last two characters of the certificate thumbprint are displayed on the Successful page*
+
+Now that you have created your Surface UEFI configuration package, you can enroll or configure Surface devices.
+
+>**Note**:  When a Surface UEFI configuration package is created, a log file is created on the desktop with details of the configuration package settings and options.
+
+## Enroll a Surface device in SEMM
+When the Surface UEFI configuration package is executed, the SEMM certificate and Surface UEFI configuration files are staged in the firmware storage of the Surface device. When the Surface device reboots, Surface UEFI processes these files and begins the process of applying the Surface UEFI configuration or enrolling the Surface device in SEMM, as shown in Figure 7.
+
+![SEMM process for configuration of Surface UEFI or enrollment](images\surface-semm-enroll-fig7.png "SEMM process for configuration of Surface UEFI or enrollment")
+
+*Figure 7. The SEMM process for configuration of Surface UEFI or enrollment of a Surface device*
+
+Before you begin the process to enroll a Surface device in SEMM, ensure that you have the last two characters of the certificate thumbprint on hand. You will need these characters to confirm the device’s enrollment (see Figure 6).
+
+To enroll a Surface device in SEMM with a Surface UEFI configuration package, follow these steps:
+
+1. Run the Surface UEFI configuration package .msi file on the Surface device you want to enroll in SEMM. This will provision the Surface UEFI configuration file in the device’s firmware.
+2. Select the **I accept the terms in the License Agreement** check box to accept the End User License Agreement (EULA), and then click **Install** to begin the installation process.
+3. Click **Finish** to complete the Surface UEFI configuration package installation and restart the Surface device when you are prompted to do so.
+4. Surface UEFI will load the configuration file and determine that SEMM is not enabled on the device. Surface UEFI will then begin the SEMM enrollment process, as follows:
+  * Surface UEFI will verify that the SEMM configuration file contains a SEMM certificate.
+  * Surface UEFI will prompt you to enter to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8.
+
+  ![SEMM enrollment requires last two characters of certificate thumbprint](images\surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint")
+  
+  *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint*
+
+   * Surface UEFI will store the SEMM certificate in firmware and apply the configuration settings that are specified in the Surface UEFI configuration file.
+   
+5. The Surface device is now enrolled in SEMM and will boot to Windows.
+
+You can verify that a Surface device has been successfully enrolled in SEMM by looking for **Microsoft Surface Configuration Package** in **Programs and Features** (as shown in Figure 9), or in the events stored in the **Microsoft Surface UEFI Configurator** log, found under **Applications and Services Logs** in Event Viewer (as shown in Figure 10).
+
+![Verify enrollment of Surface device in SEMM in Programs and Features](images\surface-semm-enroll-fig9.png "Verify enrollment of Surface device in SEMM in Programs and Features")
+
+*Figure 9. Verify the enrollment of a Surface device in SEMM in Programs and Features*
+
+![Verify enrollment of Surface device in SEMM in Event Viewer](images\surface-semm-enroll-fig10.png "Verify enrollment of Surface device in SEMM in Event Viewer")
+
+*Figure 10. Verify the enrollment of a Surface device in SEMM in Event Viewer*
+
+You can also verify that the device is enrolled in SEMM in Surface UEFI – while the device is enrolled, Surface UEFI will contain the **Enterprise management** page (as shown in Figure 11).
+
+![Surface UEFI Enterprise management page](images\surface-semm-enroll-fig11.png "Surface UEFI Enterprise management page")
+
+*Figure 11. The Surface UEFI Enterprise management page*
+
+
+## Configure Surface UEFI settings with SEMM
+
+After a device is enrolled in SEMM, you can run Surface UEFI configuration packages signed with the same SEMM certificate to apply new Surface UEFI settings. These settings are applied automatically the next time the device boots, without any interaction from the user. You can use application deployment solutions like System Center Configuration Manager to deploy Surface UEFI configuration packages to Surface devices to change or manage the settings in Surface UEFI.
+
+For more information about how to deploy Windows Installer (.msi) files with Configuration Manager, see [Deploy and manage applications with System Center Configuration Manager](https://technet.microsoft.com/library/mt627959).
+
+If you have secured Surface UEFI with a password, users without the password who attempt to boot to Surface UEFI will only have the **PC information**, **About**, **Enterprise management**, and **Exit** pages displayed to them.
+
+If you have not secured Surface UEFI with a password or a user enters the password correctly, settings that are configured with SEMM will be dimmed (unavailable) and the text Some settings are managed by your organization will be displayed at the top of the page, as shown in Figure 12.
+
+![Settings managed by SEMM disabled in Surface UEFI](images\surface-semm-enroll-fig12.png "Settings managed by SEMM disabled in Surface UEFI")
+
+*Figure 12. Settings managed by SEMM will be disabled in Surface UEFI*

devices/surface/index.md

@@ -1,6 +1,6 @@
 ---
 title: Surface (Surface)
-description: .
+description: 
 ms.assetid: 2a6aec85-b8e2-4784-8dc1-194ed5126a04
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -86,6 +86,11 @@ For more information on planning for, deploying, and managing Surface devices in
 <td><p>[Surface Dock Updater](surface-dock-updater.md)</p></td>
 <td><p>Get a detailed walkthrough of Microsoft Surface Dock Updater.</p></td>
 </tr>
+<tr class="odd">
+<td><p>[Surface Enterprise Management Mode](surface-enterprise-management-mode.md)</p></td>
+<td><p>See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization.
+</p></td>
+</tr>
 </tbody>
 </table>
 

devices/surface/manage-surface-dock-firmware-updates.md

@@ -43,7 +43,7 @@ The Surface Dock firmware update process shown in Figure 1 follows these steps:
 
 8.  When the Surface Dock is disconnected for a second time, the Surface dock installs the firmware update to the DisplayPort chipset. This process takes up to 3 minutes to apply.
 
-![figure 1](images/manage-surface-dock-fig1-updateprocess.png)
+![Surface Dock firmware update process](images/manage-surface-dock-fig1-updateprocess.png "Surface Dock firmware update process")
 
 *1- Driver installation can be performed by Windows Update, manual installation, or automatically downloaded with Microsoft Surface Dock Updater*
 

devices/surface/manage-surface-uefi-settings.md

@@ -39,9 +39,9 @@ You will also find detailed information about the firmware of your Surface devic
 
 - Touch Firmware 
 
-*Figure 1. System information and firmware version information*
+![System information and firmware version information](images/manage-surface-uefi-figure-1.png "System information and firmware version information")
 
-![figure 1](images/manage-surface-uefi-figure-1.png)
+*Figure 1. System information and firmware version information*
 
 You can find up-to-date information about the latest firmware version for your Surface device in the [Surface Update History](https://www.microsoft.com/surface/en-us/support/install-update-activate/surface-update-history) for your device. 
 
@@ -59,21 +59,21 @@ On the **Security** page of Surface UEFI settings, you can set a password to pro
 
 The password must be at least 6 characters and is case sensitive. 
 
-*Figure 2. Add a password to protect Surface UEFI settings*
+![Add a password to protect Surface UEFI settings](images/manage-surface-uefi-fig2.png "Add a password to protect Surface UEFI settings")
 
-![figure 2](images/manage-surface-uefi-fig2.png)
+*Figure 2. Add a password to protect Surface UEFI settings*
 
 On the **Security** page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library.
 
-*Figure 3. Configure Secure Boot* 
+![Configure Secure Boot](images/manage-surface-uefi-fig3.png "Configure Secure Boot")
 
-![figure 3](images/manage-surface-uefi-fig3.png)
+*Figure 3. Configure Secure Boot*
 
 You can also enable or disable the Trusted Platform Module (TPM) device on the **Security** page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library. 
 
-*Figure 4. Configure Surface UEFI security settings*
+![Configure Surface UEFI security settings](images/manage-surface-uefi-fig4.png "Configure Surface UEFI security settings")
 
-![figure 4](images/manage-surface-uefi-fig4.png)
+*Figure 4. Configure Surface UEFI security settings*
 
 ##Devices 
 
@@ -95,9 +95,9 @@ On the **Devices** page you can enable or disable specific devices and component
 
 Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 5. 
 
-*Figure 5. Enable and disable specific devices*
+![Enable and disable specific devices](images/manage-surface-uefi-fig5.png "Enable and disable specific devices")
 
-![figure 5](images/manage-surface-uefi-fig5.png)
+*Figure 5. Enable and disable specific devices*
 
 ##Boot configuration 
 
@@ -115,9 +115,9 @@ You can boot from a specific device immediately, or you can swipe left on that d
 
 For the specified boot order to take effect, you must set the **Enable Alternate Boot Sequence** option to **On**, as shown in Figure 6. 
 
-*Figure 6. Configure the boot order for your Surface device* 
+![Configure the boot order for your Surface device](images/manage-surface-uefi-fig6.png "Configure the boot order for your Surface device")
 
-![figure 6](images/manage-surface-uefi-fig6.png)
+*Figure 6. Configure the boot order for your Surface device* 
 
 You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only.  
 
@@ -125,14 +125,14 @@ You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE
 
 The **About** page displays regulatory information, such as compliance with FCC rules, as shown in Figure 7. 
 
-*Figure 7. Regulatory information is displayed on the About page*
+![Regulatory information displayed on the About page](images/manage-surface-uefi-fig7.png "Regulatory information displayed on the About page")
 
-![figure 7](images/manage-surface-uefi-fig7.png)
+*Figure 7. Regulatory information displayed on the About page*
 
 ##Exit 
 
 Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8. 
 
-*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
+![Exit Surface UEFI and restart the device](images/manage-surface-uefi-fig8.png "Exit Surface UEFI and restart the device")
 
-![figure 8](images/manage-surface-uefi-fig8.png)
+*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*

devices/surface/microsoft-surface-data-eraser.md

@@ -65,24 +65,24 @@ After the creation tool is installed, follow these steps to create a Microsoft S
 
 3.  Click **Start** to acknowledge that you have a USB stick of at least 4 GB connected, as shown in Figure 1.
 
-    ![figure 1](images/dataeraser-start-tool.png)
+    ![Start the Microsoft Surface Data Eraser tool](images/dataeraser-start-tool.png "Start the Microsoft Surface Data Eraser tool")
 
-    Figure 1. Start the Microsoft Surface Data Eraser tool
+    *Figure 1. Start the Microsoft Surface Data Eraser tool*
 
 4.  Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 2, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost.
   >**Note:**  If the Start button is disabled, check that your removable drive has a total capacity of at least 4 GB.
   
-    ![figure 2](images/dataeraser-usb-selection.png)
+    ![USB thumb drive selection](images/dataeraser-usb-selection.png "USB thumb drive selection")
 
-    Figure 2. USB thumb drive selection
+    *Figure 2. USB thumb drive selection*
 
 5.  After the creation process is finished, the USB drive has been formatted and all binaries are copied to the USB drive. Click **Success**.
 
 6.  When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 3.
 
-    ![figure 3](images/dataeraser-complete-process.png)
+    ![Surface Data Eraser USB creation process](images/dataeraser-complete-process.png "Surface Data Eraser USB creation process")
 
-    Figure 3. Complete the Microsoft Surface Data Eraser USB creation process
+    *Figure 3. Complete the Microsoft Surface Data Eraser USB creation process*
 
 7.  Click **X** to close Microsoft Surface Data Eraser.
 
@@ -105,9 +105,9 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 
 3.  When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed.
 
-    ![](images/data-eraser-3.png)
+    ![Booting the Microsoft Surface Data Eraser USB stick](images/data-eraser-3.png "Booting the Microsoft Surface Data Eraser USB stick")
 
-    Figure 4. Booting the Microsoft Surface Data Eraser USB stick
+    *Figure 4. Booting the Microsoft Surface Data Eraser USB stick*
 
 4.  Read the software license terms, and then close the notepad file.
 
@@ -123,9 +123,9 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
 
 7.  If you typed **S** to begin the data erase process, the partition that will be erased is displayed, as shown in Figure 5. If this is correct, press **Y** to continue, or **N** to shut down the device.
 
-    ![](images/sda-fig5-erase.png)
+    ![Partition to be erased is displayed](images/sda-fig5-erase.png "Partition to be erased is displayed")
 
-    Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser
+    *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
 
 8.  If you pressed **Y** in step 7, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
 

devices/surface/microsoft-surface-deployment-accelerator.md

@@ -13,17 +13,17 @@ author: miladCA
 # Microsoft Surface Deployment Accelerator
 
 
-Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
+Microsoft Surface Deployment Accelerator (SDA) provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
 
-Microsoft Surface Deployment Accelerator includes a wizard that automates the creation and configuration of a Microsoft recommended deployment experience by using free Microsoft deployment tools. The resulting deployment solution is complete with everything you need to immediately begin the deployment of Windows to a Surface device. You can also use Microsoft Surface Deployment Accelerator to create and capture a Windows reference image and then deploy it with the latest Windows Updates.
+SDA includes a wizard that automates the creation and configuration of a Microsoft recommended deployment experience by using free Microsoft deployment tools. The resulting deployment solution is complete with everything you need to immediately begin the deployment of Windows to a Surface device. You can also use SDA to create and capture a Windows reference image and then deploy it with the latest Windows updates.
 
-Microsoft Surface Deployment Accelerator is built on the powerful suite of deployment tools available from Microsoft including the Windows Assessment and Deployment Kit (ADK), the Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). The resulting deployment share encompasses the recommended best practices for managing drivers during deployment and automating image creation and can serve as a starting point upon which you build your own customized deployment solution.
+SDA is built on the powerful suite of deployment tools available from Microsoft including the Windows Assessment and Deployment Kit (ADK), the Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). The resulting deployment share encompasses the recommended best practices for managing drivers during deployment and automating image creation and can serve as a starting point upon which you build your own customized deployment solution.
 
 You can find more information about how to deploy to Surface devices, including step-by-step walkthroughs of customized deployment solution implementation, on the Deploy page of the [Surface TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=691693).
 
 **Download Microsoft Surface Deployment Accelerator**
 
-You can download the installation files for Microsoft Surface Deployment Accelerator from the Microsoft Download Center. To download the installation files:
+You can download the installation files for SDA from the Microsoft Download Center. To download the installation files:
 
 1.  Go to the [Surface Tools for IT](http://go.microsoft.com/fwlink/p/?LinkId=618121) page on the Microsoft Download Center.
 
@@ -32,9 +32,9 @@ You can download the installation files for Microsoft Surface Deployment Acceler
 ## Microsoft Surface Deployment Accelerator prerequisites
 
 
-Before you install Microsoft Surface Deployment Accelerator, your environment must meet the following prerequisites:
+Before you install SDA, your environment must meet the following prerequisites:
 
--   Microsoft Surface Deployment Accelerator must be installed on Windows Server 2012 R2 or later
+-   SDA must be installed on Windows Server 2012 R2 or later
 
 -   PowerShell Script Execution Policy must be set to **Unrestricted**
 
@@ -44,45 +44,74 @@ Before you install Microsoft Surface Deployment Accelerator, your environment mu
 
 -   To support network boot, the Windows Server 2012 R2 environment must have Windows Deployment Services installed and configured to respond to PXE requests
 
--   Access to Windows source files or installation media is required when you prepare a deployment with Microsoft Surface Deployment Accelerator
+-   Access to Windows source files or installation media is required when you prepare a deployment with SDA
 
 -   At least 6 GB of free space for each version of Windows you intend to deploy
 
 ## How Microsoft Surface Deployment Accelerator works
 
 
-As you progress through the Microsoft Surface Deployment Accelerator wizard, you will be asked some basic questions about how your deployment solution should be configured. As you select the desired Surface models to be supported and apps to be installed (see Figure 1), the wizard will prepare scripts that download, install, and configure everything needed to perform a complete deployment and capture of a reference image. By using the network boot (PXE) capabilities of Windows Deployment Services (WDS), the resulting solution enables you to boot a Surface device from the network and perform a clean deployment of Windows.
+As you progress through the SDA wizard, you will be asked some basic questions about how your deployment solution should be configured. As you select the desired Surface models to be supported and apps to be installed (see Figure 1), the wizard will prepare scripts that download, install, and configure everything needed to perform a complete deployment and capture of a reference image. By using the network boot (PXE) capabilities of Windows Deployment Services (WDS), the resulting solution enables you to boot a Surface device from the network and perform a clean deployment of Windows.
 
-![figure 1](images/sda-fig1-select-steps.png)
+![Software and driver selection window](images/sda-fig1-select-steps.png "Software and driver selection window")
 
-Figure 1: Select desired apps and drivers
+*Figure 1. Select desired apps and drivers*
 
-When the Microsoft Surface Deployment Accelerator completes, you can use the deployment share to deploy over the network immediately. Simply boot your Surface device from the network using a Surface Ethernet Adapter and select the Surface deployment share you created with the Microsoft Surface Deployment Accelerator wizard. Select the **1- Deploy Microsoft Surface** task sequence and the wizard will walk you through an automated deployment of Windows to your Surface device.
+When the SDA completes, you can use the deployment share to deploy over the network immediately. Simply boot your Surface device from the network using a Surface Ethernet Adapter and select the Surface deployment share you created with the SDA wizard. Select the **1- Deploy Microsoft Surface** task sequence and the wizard will walk you through an automated deployment of Windows to your Surface device.
 
 You can modify the task sequence in the MDT Deployment Workbench to [include your own apps](http://go.microsoft.com/fwlink/p/?linkid=691700), or to [pause the automated installation routine](http://go.microsoft.com/fwlink/p/?linkid=691701). While the installation is paused, you can make changes to customize your reference image. After the image is captured, you can configure a deployment task sequence and distribute this custom configuration by using the same network boot capabilities as before.
 
->**Note:**  With Microsoft Surface Deployment Accelerator v1.9.0258, Surface Pro 3, Surface Pro 4, and Surface Book are supported for Windows 10 deployment, and Surface Pro 3 is supported for Windows 8.1 deployment.
+>**Note:**  With SDA v1.9.0258, Surface Pro 3, Surface Pro 4, and Surface Book are supported for Windows 10 deployment, and Surface Pro 3 is supported for Windows 8.1 deployment.
 
  
 
 ## <a href="" id="use-microsoft-surface-deployment-accelerator-without-an-internet-connection--"></a>Use Microsoft Surface Deployment Accelerator without an Internet connection
 
 
-For environments where the Microsoft Surface Deployment Accelerator server will not be able to connect to the Internet, the required Surface files can be downloaded separately. To specify a local source for Surface driver and app files, select the **Copy from a local directory** option and specify the location of your downloaded files (see Figure 2). All of the driver and app files for your selected choices must be placed in the specified folder.
+For environments where the SDA server will not be able to connect to the Internet, the required Surface files can be downloaded separately. To specify a local source for Surface driver and app files, select the **Copy from a local directory** option and specify the location of your downloaded files (see Figure 2). All of the driver and app files for your selected choices must be placed in the specified folder.
 
-![figure 2](images/sda-fig2-specify-local.png)
+![Specify a local source for Surface driver and app files](images/sda-fig2-specify-local.png "Specify a local source for Surface driver and app files")
 
-Figure 2. Specify a local source for Surface driver and app files
+*Figure 2. Specify a local source for Surface driver and app files*
 
 You can find a full list of available driver downloads at [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
 
 >**Note:**&nbsp;&nbsp;Downloaded files do not need to be extracted. The downloaded files can be left as .zip files as long as they are stored in one folder.
 
+>**Note:**&nbsp;&nbsp;Using files from a local directory is not supported when including Office 365 in your deployment share. To include Office 365 in your deployment share, select the **Download from the Internet** check box. 
+
+## Changes and updates
+
+SDA is periodically updated by Microsoft. For instructions on how these features are used, see [Step-by-Step: Microsoft Surface Deployment Accelerator](https://technet.microsoft.com/en-us/itpro/surface/step-by-step-surface-deployment-accelerator).
+
+>**Note:**&nbsp;&nbsp;To install a newer version of SDA on a server with a previous version of SDA installed, you only need to run the installation file for the new version of SDA. The installer will handle the upgrade process automatically. If you used SDA to create a deployment share prior to the upgrade and want to use new features of the new version of SDA, you will need to create a new deployment share. SDA does not support upgrades of an existing deployment share.
  
+### Version 1.96.0405
+This version of SDA adds support for the following:
+* Microsoft Deployment Toolkit (MDT) 2013 Update 2
+* Office 365 Click-to-Run
+* Surface 3 and Surface 3 LTE
+* Reduced Windows Assessment and Deployment Kit (Windows ADK) footprint, only the following Windows ADK components are installed:
+  * Deployment tools
+  * Windows Preinstallation Environment (WinPE)
+  * User State Migration Tool (USMT)
 
- 
+### Version 1.90.0258
+This version of SDA adds support for the following:
+* Surface Book
+* Surface Pro 4
+* Windows 10
 
- 
+### Version 1.90.0000
+This version of SDA adds support for the following:
+* Local driver and app files can be used to create a deployment share without access to the Internet
+
+### Version 1.70.0000
+This version is the original release of SDA. This version of SDA includes support for:
+* MDT 2013 Update 1
+* Windows ADK
+* Surface Pro 3
+* Windows 8.1
 
 
 

devices/surface/step-by-step-surface-deployment-accelerator.md

@@ -26,17 +26,17 @@ For information about prerequisites and instructions for how to download and ins
 
 3.  Accept the End User License Agreement (EULA) by selecting the check box, and then click **Install**, as shown in Figure 1.
 
-    ![figure 1](images/sdasteps-fig1.png)
+    ![Surface Deployment Accelerator setup](images/sdasteps-fig1.png "Surface Deployment Accelerator setup")
 
-    Figure 1. SDA setup
+    *Figure 1. SDA setup*
 
 4.  Click **Finish** to complete the installation of SDA.
 
-The tool installs in the Surface Deployment Accelerator program group, as shown in Figure 2.
+The tool installs in the SDA program group, as shown in Figure 2.
 
-![figure 2](images/sdasteps-fig2.png)
+![SDA program group and icon](images/sdasteps-fig2.png "SDA program group and icon")
 
-Figure 2. The Surface Deployment Accelerator program group and icon
+*Figure 2. The SDA program group and icon*
 
 >**Note:**  At this point the tool has not yet prepared any deployment environment or downloaded any materials from the Internet.
 
@@ -45,7 +45,7 @@ Figure 2. The Surface Deployment Accelerator program group and icon
 ## Create a deployment share
 
 
-The following steps show how you create a deployment share for Windows 10 that supports Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, and the Surface Asset Tag Tool. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps.
+The following steps show you how to create a deployment share for Windows 10 that supports Surface 3, Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, the Surface Asset Tag Tool, and Office 365. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps.
 
 >**Note:**  SDA lets you create deployment shares for both Windows 8.1 and Windows 10 deployments, but you can only create a single deployment share at a time. Therefore, to create both Windows 8.1 and Windows 10 deployment shares, you will need to run the tool twice.
 
@@ -55,7 +55,14 @@ The following steps show how you create a deployment share for Windows 10 that
 
 2.  On the **Welcome** page, click **Next** to continue.
 
-3.  On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 1. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue.
+3.  On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 2. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue.
+
+  >**Note:**  As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows:
+    * Deployment tools
+    * User State Migration Tool (USMT)
+    * Windows Preinstallation Environment (WinPE)</br></br>
+
+  >**Note:**&nbsp;&nbsp;As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1.
 
 4.  On the **Windows 8.1** page, to create a Windows 10 deployment share, do not select the **Would you like to support Windows 8.1** check box. Click **Next** to continue.
 
@@ -75,15 +82,17 @@ The following steps show how you create a deployment share for Windows 10 that
 
         -   **Local Path** – Specify or browse to the root directory of Windows 10 installation files. If you have an ISO file, mount it and browse to the root of the mounted drive. You must have a full set of source files, not just **Install.wim**.
 
-    ![figure 3](images/sdasteps-fig3.png)
+    ![Specify Windows 10 deployment share options](images/sdasteps-fig3.png "Specify Windows 10 deployment share options")
 
-    Figure 3. Specify Windows 10 deployment share options
+    *Figure 3. Specify Windows 10 deployment share options*
 
-6.  On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface Pro 3 and cannot be selected unless Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue.
+6.  On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface 3 and Surface Pro 3 and cannot be selected unless Surface 3 or Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue.
 
-    ![figure 4](images/sdasteps-fig4-select.png)
+    ![Firmware tool selection](images/sdasteps-fig4-select.png "Firmware tool selection")
 
-    Figure 4. Selecting Surface Firmware Tool requires Surface Pro 3 drivers
+    *Figure 4. Selecting Surface Firmware Tool requires Surface Pro 3 drivers*
+
+    >**Note:**&nbsp;&nbsp;You cannot select both Surface 3 and Surface 3 LTE models at the same time.
 
 7.  On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes:
 
@@ -105,9 +114,9 @@ The following steps show how you create a deployment share for Windows 10 that
 
     -   Creation of rules and task sequences for Windows deployment
 
-    ![figure 5](images/sdasteps-fig5-installwindow.png)
+    ![The installatin progress window](images/sdasteps-fig5-installwindow.png "The installatin progress window")
 
-    Figure 5. The **Installation Progress** window
+    *Figure 5. The Installation Progress window*
 
 8.  When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices.
 
@@ -115,13 +124,15 @@ The following steps show how you create a deployment share for Windows 10 that
 
 If you are unable to connect to the Internet with your deployment server, or if you want to download the Surface drivers and apps separately, you can specify a local source for the driver an app files at the time of deployment share creation. On the **Configure** page of the SDA wizard, select the **Copy from a Local Directory** check box, as shown in Figure 6. The **Download from the Internet** check box will be automatically deselected. Enter the folder location where you have placed the driver and app files in the **Local Path** field, as shown in Figure 6.
 
->**Note:**&nbsp;&nbsp;All of the downloaded driver and applications files must be located in the same folder. The driver and app files do not need to be extracted from the downloaded .zip files.
+>**Note:**&nbsp;&nbsp;All of the downloaded driver and applications files must be located in the same folder. If a required driver or application file is missing from the selected folder when you click **Next**, a warning is displayed and the wizard will not proceed to the next step.
 
- 
+>**Note:**&nbsp;&nbsp;The driver and app files do not need to be extracted from the downloaded .zip files.
 
-![figure 6](images/sdasteps-fig6-specify-driver-app-files.png)
+>**Note:**&nbsp;&nbsp;Including Office 365 in your deployment share requires an Internet connection and cannot be performed if you use local files.
 
-Figure 6. Specify the Surface driver and app files from a local path
+![Specify Surface driver and app files](images/sdasteps-fig6-specify-driver-app-files.png "Specify Surface driver and app files")
+
+*Figure 6. Specify the Surface driver and app files from a local path*
 
 >**Note:**&nbsp;&nbsp;The **Copy from a Local Directory** check box is only available in SDA version 1.90.0221 or later.
 
@@ -159,9 +170,9 @@ Before you can create bootable media files within the MDT Deployment Workbench o
 
 9.  **exit** – Exits DiskPart, after which you can close the PowerShell or Command Prompt window.
 
-    ![figure 7](images/sdasteps-fig7-diskpart.png)
+    ![Use DiskPart to prepare a USB drive for boot](images/sdasteps-fig7-diskpart.png "Use DiskPart to prepare a USB drive for boot")
 
-    Figure 7. Use DiskPart to prepare a USB drive for boot
+    *Figure 7. Use DiskPart to prepare a USB drive for boot*
 
     >**Note:**&nbsp;&nbsp;You can format your USB drive with FAT32 from Disk Management, but you must still use DiskPart to set the partition as active for the drive to boot properly.
 
@@ -177,15 +188,15 @@ After you have prepared the USB drive for boot, the next step is to generate off
 
 4.  Right-click the **Media** folder and click **New Media** as shown in Figure 8 to start the New Media Wizard.
 
-    ![figure 8](images/sdasteps-fig8-mediafolder.png)
+    ![The Media folder of the SDA deployment share](images/sdasteps-fig8-mediafolder.png "The Media folder of the SDA deployment share")
 
-    Figure 8. The Media folder of the SDA deployment share
+    *Figure 8. The Media folder of the SDA deployment share*
 
 5.  On the **General Settings** page in the **Media path** field, enter or browse to a folder where you will create the files for the new offline media. See the example **E:\\SDAMedia** in Figure 9. Leave the default profile **Everything** selected in the **Selection profile** drop-down menu, and then click **Next**.
 
-    ![figure 9](images/sdasteps-fig9-location.png)
+    ![Specify a location and selection profile for your offline media](images/sdasteps-fig9-location.png "Specify a location and selection profile for your offline media")
 
-    Figure 9. Specify a location and selection profile for your offline media
+    *Figure 9. Specify a location and selection profile for your offline media*
 
 6.  On the **Summary** page verify your selections, and then click **Next** to begin creation of the media.
 
@@ -195,9 +206,9 @@ After you have prepared the USB drive for boot, the next step is to generate off
 
 9.  Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab as shown in Figure 10.
 
-    ![figure 10](images/sdasteps-fig10-rules.png)
+    ![Rules of the SDA deployment share](images/sdasteps-fig10-rules.png "Rules of the SDA deployment share")
 
-    Figure 10. The Rules of the SDA deployment share
+    *Figure 10. Rules of the SDA deployment share*
 
 10. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+C** to copy the text.
 
@@ -229,15 +240,17 @@ After you have prepared the USB drive for boot, the next step is to generate off
     UserPassword=
     ```
 
-    ![figure 11](images/sdasteps-fig11-bootstrap.ini.png)
+    ![The Bootstrap.ini file](images/sdasteps-fig11-bootstrap.ini.png "The Bootstrap.ini file")
 
-    Figure 11. The Bootstrap.ini file of MEDIA001
+    *Figure 11. The Bootstrap.ini file of MEDIA001*
 
 20. Close Bootstrap.ini and click **OK** in **MEDIA001** deployment share properties to close the window.
 
 21. In the **Deployment Workbench** under the **Media** folder, right-click the newly created **MEDIA001** and click **Update Media Content**, as shown in Figure 12. This will update the media files with the content of the **Microsoft Surface Deployment Accelerator** deployment share.
 
-    ![figure 12](images/sdasteps-fig12-updatemedia.png)Figure 12. Select **Update Media Content**
+    ![Select the Update Media Content option](images/sdasteps-fig12-updatemedia.png "Select the Update Media Content option")
+    
+    *Figure 12. Select the Update Media Content option*
 
 22. The **Update Media Content** window is displayed and shows the progress as the media files are created. When the process completes, click **Finish.**
 
@@ -252,11 +265,11 @@ Your USB drive is now configured as bootable offline media that contains all of
 ## SDA task sequences
 
 
-The SDA deployment share is configured with all of the resources required to perform a Windows deployment to a Surface device. These resources include Windows source files, image, Surface drivers, and Surface apps. The deployment share also contains two pre-configured task sequences, as shown in Figure 13. These task sequences contain the steps required to perform a deployment to a Surface device using the default Windows image from the installation media or to create a reference image complete with Windows updates and applications. To learn more about task sequences, see [MDT 2013 Update 1 Lite Touch components](http://technet.microsoft.com/en-us/itpro/windows/deploy/mdt-2013-lite-touch-components).
+The SDA deployment share is configured with all of the resources required to perform a Windows deployment to a Surface device. These resources include Windows source files, image, Surface drivers, and Surface apps. The deployment share also contains two pre-configured task sequences, as shown in Figure 13. These task sequences contain the steps required to perform a deployment to a Surface device using the default Windows image from the installation media or to create a reference image complete with Windows updates and applications. To learn more about task sequences, see [MDT 2013 Update 2 Lite Touch components](https://technet.microsoft.com/itpro/windows/deploy/mdt-2013-lite-touch-components).
 
-![figure 13](images/sdasteps-fig13-taskseq.png)
+![Task sequences in the Deployment Workbench](images/sdasteps-fig13-taskseq.png "Task sequences in the Deployment Workbench")
 
-Figure 13. Task sequences in the Deployment Workbench
+*Figure 13. Task sequences in the Deployment Workbench*
 
 ### Deploy Microsoft Surface
 
@@ -286,7 +299,7 @@ The **2 – Create Windows Reference Image** task sequence is used to perform a
 
 Like the **1 – Deploy Microsoft Surface** task sequence, the **2 – Create Windows Reference Image** task sequence performs a deployment of the unaltered Windows image directly from the installation media. Creation of a reference image should always be performed on a virtual machine. Using a virtual machine as your reference system helps to ensure that the resulting image is compatible with different hardware configurations.
 
->**Note:**&nbsp;&nbsp;Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information see [Deploy a Windows 10 image using MDT 2013 Update 1](http://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt).
+>**Note:**&nbsp;&nbsp;Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](http://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt).
 
  
 
@@ -323,9 +336,9 @@ To instruct your Surface device to boot from the network, start with the device
 
 4.  Enter the domain credentials that you use to log on to the server where SDA is installed when you are prompted, as shown in Figure 14.
 
-    ![figure 14](images/sdasteps-fig14-credentials.png)
+    ![Prompt for credentials to the deployment share](images/sdasteps-fig14-credentials.png "Prompt for credentials to the deployment share")
 
-    Figure 14. The prompt for credentials to the deployment share
+    *Figure 14. The prompt for credentials to the deployment share*
 
 5.  The Windows Deployment Wizard will start from the deployment share to walk you through the deployment process.
 
@@ -343,15 +356,15 @@ To run the Deploy Microsoft Surface task sequence:
 
 1.  On the **Task Sequence** page, select the **1 – Deploy Microsoft Surface** task sequence as shown in Figure 15, and then click **Next.**
 
-    ![figure 15](images/sdasteps-fig15-deploy.png)
+    ![Select the task sequence](images/sdasteps-fig15-deploy.png "Select the task sequence")
 
-    Figure 15. Select the **1 – Deploy Microsoft Surface** task sequence
+    *Figure 15. Select the 1 – Deploy Microsoft Surface task sequence*
 
 2.  On the **Computer Details** page, type a name for the Surface device in the **Computer Name** box. In the **Join a domain** section, type your domain name and credentials as shown in Figure 16, and then click **Next**.
 
-    ![figure 16](images/sdasteps-fig16-computername.png)
+    ![Computer name and domain credentials](images/sdasteps-fig16-computername.png "Computer name and domain credentials")
 
-    Figure 16. Enter the computer name and domain information
+    *Figure 16. Enter the computer name and domain information*
 
 3.  On the **Product Key** page, keep the **No product key is required** check box selected if you are deploying the same version and edition of Windows to your Surface devices as they came with from the factory. If you are deploying a different version or edition of Windows to the device, such as Windows Enterprise, select the licensing option that is applicable to your scenario.
 
@@ -363,9 +376,9 @@ To run the Deploy Microsoft Surface task sequence:
 
 7.  On the **Ready** page, verify your selections and then click **Begin** to start the automated deployment to this device. The deployment will not require user interaction again. The Windows Deployment Wizard will close and an **Installation Progress** window is displayed to show progress of the task sequence as the image is applied and applications are installed (Figure 17).
 
-    ![figure 17](images/sdasteps-fig17-installprogresswindow.png)
+    ![Installation progress window](images/sdasteps-fig17-installprogresswindow.png "Installation progress window")
 
-    Figure 17. The **Installation Progress** window
+    *Figure 17. The Installation Progress window*
 
 8.  When the deployment task sequence completes, a **Success** window is displayed. Click **Finish** to complete the deployment and begin using your Surface device.
 

devices/surface/surface-dock-updater.md

@@ -34,15 +34,15 @@ To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps
 
     -   If the tool determines that the firmware of your Surface Dock is up to date, a **You have the latest firmware for this Surface Dock** message is displayed, as shown in Figure 1.
 
-        ![figure 1](images/surfacedockupdater-fig1-uptodate-568pix.png)
+        ![Screen that shows your Surface Dock firmware is up to date](images/surfacedockupdater-fig1-uptodate-568pix.png "Screen that shows your Surface Dock firmware is up to date")
 
-        Figure 1. Your Surface Dock firmware is up to date.
+        *Figure 1. Your Surface Dock firmware is up to date*
 
     -   If Microsoft Surface Dock Updater determines that the firmware of your Surface Dock is not up to date, a **This Surface Dock is not running the latest firmware** message is displayed, as shown in Figure 2.
 
-        ![figure 2](images/surfacedockupdater-fig2a-needsupdating.png)
+        ![Screen that shows your Surface Dock firmware needs to be updated](images/surfacedockupdater-fig2a-needsupdating.png "Screen that shows your Surface Dock firmware needs to be updated")
 
-        Figure 2. Your Surface Dock firmware needs to be updated
+        *Figure 2. Your Surface Dock firmware needs to be updated*
 
 3.  To begin the firmware update process, click **Update** on the **Surface Dock Firmware** page.
 
@@ -50,27 +50,27 @@ To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps
 
 5.  As the firmware update is uploaded to the Surface Dock, a **Progress** page is displayed, as shown in Figure 3. Do not disconnect the Surface Dock while firmware is being uploaded.
 
-    ![figure 3](images/surfacedockupdater-fig3-progress.png)
+    ![Progress of firmware update upload](images/surfacedockupdater-fig3-progress.png "Progress of firmware update upload")
 
-    Figure 3. Progress of firmware update upload to Surface Dock
+    *Figure 3. Progress of firmware update upload to Surface Dock*
 
 6.  After the firmware update has successfully uploaded to the Surface Dock, you are prompted to disconnect and then reconnect the Surface Dock from the Surface device, as shown in Figure 4. The main chipset firmware update will be applied while the Surface Dock is disconnected.
 
-    ![figure 4](images/surfacedockupdater-fig4-disconnect.png)
+    ![Disconnect and reconnect Surface Dock when prompted](images/surfacedockupdater-fig4-disconnect.png "Disconnect and reconnect Surface Dock when prompted")
 
-    Figure 4. Disconnect and reconnect Surface Dock when prompted
+    *Figure 4. Disconnect and reconnect Surface Dock when prompted*
 
 7.  When the main chipset firmware update is verified, the DisplayPort chipset firmware update will be uploaded to the Surface Dock. Upon completion, a **Success** page is displayed and you will again be prompted to disconnect the Surface Dock, as shown in Figure 5.
 
-    ![figure 5](images/surfacedockupdater-fig5-success.png)
+    ![Screen showing successful upload](images/surfacedockupdater-fig5-success.png "Screen showing successful upload")
 
-    Figure 5. Successful upload of Surface Dock firmware
+    *Figure 5. Successful upload of Surface Dock firmware*
 
 8.  After you disconnect the Surface Dock the DisplayPort firmware update will be installed. This process occurs on the Surface Dock hardware while it is disconnected. The Surface Dock must remain powered for up to 3 minutes after it has been disconnected for the firmware update to successfully install. An **Update in Progress** page is displayed (as shown in Figure 6), with a countdown timer to show the estimated time remaining to complete the firmware update installation.
 
-    ![figure 6](images/surfacedockupdater-fig6-countdown.png)
+    ![Countdown timer to complete firmware installation](images/surfacedockupdater-fig6-countdown.png "Countdown timer to complete firmware installation")
 
-    Figure 6. Countdown timer to complete firmware installation on Surface Dock
+    *Figure 6. Countdown timer to complete firmware installation on Surface Dock*
 
 9.  If you want to update multiple Surface Docks in one sitting, you can click the **Update another Surface Dock** button to begin the process on the next Surface Dock.
 
@@ -83,9 +83,9 @@ To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps
 
 If the Surface Dock firmware update process encounters an installation error with either firmware update, the **Encountered an unexpected error** page may be displayed, as shown in Figure 7.
 
-![figure 7](images/surfacedockupdater-fig7-error.png)
+![Firmware update installation error](images/surfacedockupdater-fig7-error.png "Firmware update installation error")
 
-Figure 7. Firmware update installation has encountered an error
+*Figure 7. Firmware update installation has encountered an error*
 
 Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in Figure 8. If you need to troubleshoot an update through this tool, you will find Surface Dock events recorded with the following event IDs:
 
@@ -97,9 +97,9 @@ Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in
 | 12105    | Error                                                    |
 
 
-Figure 8. Surface Dock Updater events in Event Viewer
+![Surface Dock Updater events in Event Viewer](images/surfacedockupdater-fig8-737test.png "Surface Dock Updater events in Event Viewer")
 
-![figure 8](images/surfacedockupdater-fig8-737test.png)
+*Figure 8. Surface Dock Updater events in Event Viewer*
 
 
 ## Related topics

devices/surface/surface-enterprise-management-mode.md

@@ -0,0 +1,163 @@
+---
+title: Surface Enterprise Management Mode (Surface)
+description: See how this feature of Surface devices with Surface UEFI helps you secure and manage firmware settings within your organization.
+keywords: uefi, configure, firmware, secure, semm
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices, security
+ms.sitesec: library
+author: jobotto
+---
+
+# Microsoft Surface Enterprise Management Mode
+
+Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal.
+
+>**Note**:  SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4 and Surface Book. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-uefi-settings).
+
+When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM.
+
+## Microsoft Surface UEFI Configurator
+
+The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
+
+![Microsoft Surface UEFI Configurator](images\surface-ent-mgmt-fig1-uefi-configurator.png "Microsoft Surface UEFI Configurator")
+
+*Figure 1. Microsoft Surface UEFI Configurator*
+
+>**Note**:  Windows 10 is required to run Microsoft Surface UEFI Configurator
+
+You can use the Microsoft Surface UEFI Configurator tool in three modes:
+
+* [Surface UEFI Configuration Package](#configuration-package). Use this mode to create a Surface UEFI configuration package to enroll a Surface device in SEMM and to configure UEFI settings on enrolled devices.
+* [Surface UEFI Reset Package](#reset-package). Use this mode to unenroll a Surface device from SEMM.
+* [Surface UEFI Recovery Request](#recovery-request). Use this mode to respond to a recovery request to unenroll a Surface device from SEMM where a Reset Package operation is not successful.
+
+
+#### Download Microsoft Surface UEFI Configurator
+
+You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page in the Microsoft Download Center.
+
+### Configuration package
+
+Surface UEFI configuration packages are the primary mechanism to implement and manage SEMM on Surface devices. These packages contain a configuration file of UEFI settings specified during creation of the package in Microsoft Surface UEFI Configurator and a certificate file, as shown in Figure 2. When a configuration package is run for the first time on a Surface device that is not already enrolled in SEMM, it provisions the certificate file in the device’s firmware and enrolls the device in SEMM. When enrolling a device in SEMM, you will be prompted to confirm the operation by providing the last two digits of the SEMM certificate thumbprint before the certificate file is stored and the enrollment can complete. This confirmation requires that a user be present at the device at the time of enrollment to perform the confirmation.
+
+![Secure a SEMM configuration package with a certificate](images\surface-ent-mgmt-fig2-securepackage.png "Secure a SEMM configuration package with a certificate")
+
+*Figure 2. Secure a SEMM configuration package with a certificate*
+
+See the [Surface Enterprise Management Mode certificate requirements](#surface-enterprise-management-mode-certificate-requirements) section of this article for more information about the requirements for the SEMM certificate.
+
+>**Note**:  You can also specify a UEFI password with SEMM that is required to view the **Security**, **Devices**, **Boot Configuration**, or **Enterprise Management** pages of Surface UEFI.
+
+After a device is enrolled in SEMM, the configuration file is read and the settings specified in the file are applied to UEFI. When you run a configuration package on a device that is already enrolled in SEMM, the signature of the configuration file is checked against the certificate that is stored in the device firmware. If the signature does not match, no changes are applied to the device.
+
+You can use Surface UEFI settings to enable or disable the operation of individual components, such as cameras, wireless communication, or docking USB port (as shown in Figure 3), and configure advanced settings (as shown in Figure 4).
+
+![Enable or disable devices in Surface UEFI with SEMM](images\surface-ent-mgmt-fig3-enabledisable.png "Enable or disable devices in Surface UEFI with SEMM")
+
+*Figure 3. Enable or disable devices in Surface UEFI with SEMM*
+
+![Configure advanced settings in SEMM](images\surface-ent-mgmt-fig4-advancedsettings.png "Configure advanced settings in SEMM")
+
+*Figure 4. Configure advanced settings with SEMM*
+
+You can enable or disable the following devices with SEMM:
+
+* Docking USB Port
+* On-board Audio
+* Type Cover
+* Micro SD or SD Card Slots
+* Front Camera
+* Rear Camera
+* Infrared Camera, for Windows Hello
+* Bluetooth Only
+* Wi-Fi and Bluetooth
+* Trusted Platform Module (TPM)
+
+You can configure the following advanced settings with SEMM:
+
+* IPv6 support for PXE boot
+* Alternate boot order, where the Volume Down button and Power button can be pressed together during boot, to boot directly to a USB or Ethernet device
+* Lock the boot order to prevent changes
+* Support for booting to USB devices
+* Display of the Surface UEFI **Security** page
+* Display of the Surface UEFI **Devices** page
+* Display of the Surface UEFI **Boot** page
+
+>**Note**:  When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5.
+
+![Certificate thumbprint display](images\surface-ent-mgmt-fig5-success.png "Certificate thumbprint display")
+
+*Figure 5. Display of the last two characters of the certificate thumbprint on the Successful page*
+
+These characters are the last two characters of the certificate thumbprint and should be written down or recorded. The characters are required to confirm enrollment in SEMM on a Surface device, as shown in Figure 6.
+
+![Enrollment confirmation in SEMM](images\surface-ent-mgmt-fig6-enrollconfirm.png "Enrollment confirmation in SEMM")
+
+*Figure 6. Enrollment confirmation in SEMM with the SEMM certificate thumbprint*
+
+To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file on the intended Surface device. You can use application deployment or operating system deployment technologies such as [System Center Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM.
+
+### Reset package
+
+A Surface UEFI reset package is used to perform only one task — to unenroll a Surface device from SEMM. The reset package contains signed instructions to remove the SEMM certificate from the device’s firmware and to reset UEFI settings to factory default. Like a Surface UEFI configuration package, a reset package must be signed with the same SEMM certificate that is provisioned on the Surface device. When you create a SEMM reset package, you are required to supply the serial number of the Surface device you intend to reset. SEMM reset packages are not universal and are specific to one device.
+
+### Recovery request
+
+In some scenarios, it may be impossible to use a Surface UEFI reset package. (For example, if Windows becomes unusable on the Surface device.) In these scenarios you can unenroll the Surface device from SEMM through the **Enterprise Management** page of Surface UEFI (shown in Figure 7) with a Recovery Request operation.
+
+![Initiate a SEMM recovery request](images\surface-ent-mgmt-fig7-semmrecovery.png "Initiate a SEMM recovery request")
+
+*Figure 7. Initiate a SEMM recovery request on the Enterprise Management page*
+
+When you use the process on the **Enterprise Management** page to reset SEMM on a Surface device, you are provided with a Reset Request. This Reset Request can be saved as a file to a USB drive, copied as text, or read as a QR Code with a mobile device to be easily emailed or messaged. Use the Microsoft Surface UEFI Configurator Reset Request option to load a Reset Request file or enter the Reset Request text or QR Code. Microsoft Surface UEFI Configurator will generate a verification code that can be entered on the Surface device. If you enter the code on the Surface device and click **Restart**, the device will be unenrolled from SEMM. 
+
+>**Note**:  A Reset Request expires two hours after it is created.
+
+## Surface Enterprise Management Mode certificate requirements
+
+>**Note**:  The SEMM certificate is required to perform any modification to SEMM or Surface UEFI settings on enrolled Surface devices. If the SEMM certificate is corrupted or lost, SEMM cannot be removed or reset. Manage your SEMM certificate accordingly with an appropriate solution for backup and recovery.
+
+Packages created with the Microsoft Surface UEFI Configurator tool are signed with a certificate. This certificate ensures that after a device is enrolled in SEMM, only packages created with the approved certificate can be used to modify the settings of UEFI. The following settings are recommended for the SEMM certificate:
+
+* **Key Algorithm** – RSA 
+* **Key Length** – 2048
+* **Hash Algorithm** – SHA-256
+* **Type** – SSL Server Authentication
+* **Key Usage** – Key Encipherment
+* **Provider** – Microsoft Enhanced RSA and AES Cryptographic Provider
+* **Expiration Date** – 15 Months from certificate creation
+* **Key Export Policy** – Exportable
+
+It is also recommended that the SEMM certificate be authenticated in a two-tier public key infrastructure (PKI) architecture where the intermediate certification authority (CA) is dedicated to SEMM, enabling certificate revocation. For more information about a two-tier PKI configuration, see [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348).
+
+>**Note**:  You can use the following PowerShell script to create a self-signed certificate for use in proof-of-concept scenarios.
+  To use this script, copy the following text into Notepad and save the file as a PowerShell script (.ps1). This script creates a certificate with a password of `12345678`.<br/><br/>The certificate generated by this script is not recommended for production environments.
+  
+   ```
+if (-not (Test-Path "Demo Certificate"))  { New-Item -ItemType Directory -Force -Path "Demo Certificate" }
+if (Test-Path "Demo Certificate\TempOwner.pfx") { Remove-Item "Demo Certificate\TempOwner.pfx" }
+
+# Generate the Ownership private signing key with password 12345678
+$pw = ConvertTo-SecureString "12345678" -AsPlainText -Force
+
+$TestUefiV2 = New-SelfSignedCertificate `
+  -Subject "CN=Surface Demo Kit, O=Contoso Corporation, C=US" `
+  -Type SSLServerAuthentication `
+  -HashAlgorithm sha256 `
+  -KeyAlgorithm RSA `
+  -KeyLength 2048 `
+  -KeyUsage KeyEncipherment `
+  -KeyUsageProperty All `
+  -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
+  -NotAfter (Get-Date).AddYears(25) `
+  -TextExtension @("2.5.29.37={text}1.2.840.113549.1.1.1") `
+  -KeyExportPolicy Exportable
+
+$TestUefiV2 | Export-PfxCertificate -Password $pw -FilePath "Demo Certificate\TempOwner.pfx"
+   ```
+
+For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must be exported with the private key and with password protection. Microsoft Surface UEFI Configurator will prompt you to select the SEMM certificate file (.pfx) and certificate password when it is required.
+
+>**Note**:&nbsp;&nbsp;For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick.

devices/surface/unenroll-surface-devices-from-semm.md

@@ -0,0 +1,148 @@
+---
+title: Unenroll Surface devices from SEMM (Surface)
+description: Learn how to unenroll a device from SEMM by using a Surface UEFI reset package or the Recovery Request option.
+keywords: surface enterprise management
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices, security
+ms.sitesec: library
+author: jobotto
+---
+
+# Unenroll Surface devices from SEMM
+
+When a Surface device is enrolled in Surface Enterprise Management Mode (SEMM), a certificate is stored in the firmware of that device. The presence of that certificate and the enrollment in SEMM prevent any unauthorized changes to Surface UEFI settings or options while the device is enrolled in SEMM. To restore control of Surface UEFI settings to the user, the Surface device must be unenrolled from SEMM, a process sometimes described as reset or recovery. There are two methods you can use to unenroll a device from SEMM—a Surface UEFI reset package and a Recovery Request.
+
+>**Warning:**  To unenroll a device from SEMM and restore user control of Surface UEFI settings, you must have the SEMM certificate that was used to enroll the device in SEMM. If this certificate becomes lost or corrupted, it is not possible to unenroll from SEMM. Back up and protect your SEMM certificate accordingly.
+
+For more information about SEMM, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode).
+
+## Unenroll a Surface device from SEMM with a Surface UEFI reset package
+
+The Surface UEFI reset package is the primary method you use to unenroll a Surface device from SEMM. Like a Surface UEFI configuration package, the reset package is a Windows Installer (.msi) file that configures SEMM on the device. Unlike the configuration package, the reset package will reset the Surface UEFI configuration on a Surface device to its default settings, remove the SEMM certificate, and unenroll the device from SEMM.
+
+Reset packages are created specifically for an individual Surface device. To begin the process of creating a reset package, you will need the serial number of the device you want to unenroll, as well as the SEMM certificate used to enroll the device. You can find the serial number of your Surface device on the **PC information** page of Surface UEFI, as shown in Figure 1. This page is displayed even if Surface UEFI is password protected and the incorrect password is entered.
+
+![Serial number of Surface device is displayed](images\surface-semm-unenroll-fig1.png "Serial number of Surface device is displayed")
+
+*Figure 1. The serial number of the Surface device is displayed on the Surface UEFI PC information page*
+
+>**Note:**  To boot to Surface UEFI, press **Volume Up** and **Power** simultaneously while the device is off. Hold **Volume Up** until the Surface logo is displayed and the device begins to boot.
+
+To create a Surface UEFI reset package, follow these steps:
+
+1. Open Microsoft Surface UEFI Configurator from the Start menu.
+2. Click **Start**.
+3. Click **Reset Package**, as shown in Figure 2.
+
+   ![Select Reset Package to create a package to unenroll Surface device from SEMM](images\surface-semm-unenroll-fig2.png "Select Reset Package to create a package to unenroll Surface device from SEMM")
+
+   *Figure 2. Click Reset Package to create a package to unenroll a Surface device from SEMM*
+
+4. Click **Certificate Protection** to add your SEMM certificate file with private key (.pfx), as shown in Figure 3. Browse to the location of your certificate file, select the file, and then click **OK**.
+
+   ![Add the SEMM certificate to Surface UEFI reset package](images\surface-semm-unenroll-fig3.png "Add the SEMM certificate to Surface UEFI reset package")
+
+   *Figure 3. Add the SEMM certificate to a Surface UEFI reset package*
+
+5. Click **Next**.
+6. Type the serial number of the device you want to unenroll from SEMM (as shown in Figure 4), and then click **Build** to generate the Surface UEFI reset package.
+
+   ![Create a Surface UEFI reset package with serial number of Surface device](images\surface-semm-unenroll-fig4.png "Create a Surface UEFI reset package with serial number of Surface device")
+
+   *Figure 4. Use the serial number of your Surface device to create a Surface UEFI reset package*
+
+7. In the **Save As** dialog box, specify a name for the Surface UEFI reset package, browse to the location where you would like to save the file, and then click **Save**.
+8. When the package generation has completed, the **Successful** page is displayed. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator.
+
+Run the Surface UEFI reset package Windows Installer (.msi) file on the Surface device to unenroll the device from SEMM. The reset package will require a reboot to perform the unenroll operation. After the device has been unenrolled, you can verify the successful removal by ensuring that the **Microsoft Surface Configuration Package** item in **Programs and Features** (shown in Figure 5) is no longer present.
+
+![Screen that shows device is enrolled in SEMM](images\surface-semm-unenroll-fig5.png "Screen that shows device is enrolled in SEMM")
+
+*Figure 5. The presence of the Microsoft Surface Configuration Package item in Programs and Features indicates that the device is enrolled in SEMM*
+
+## Unenroll a Surface device from SEMM with a Recovery Request
+
+In some scenarios, a Surface UEFI reset package may not be a viable option to unenroll a Surface device from SEMM (for example, where Windows has become unusable). In these scenarios you can unenroll the device by using a Recovery Request generated from within Surface UEFI. The Recovery Request process can be initiated even on devices where you do not have the Surface UEFI password.
+
+The Recovery Request process is initiated from Surface UEFI on the Surface device, approved with Microsoft Surface UEFI Configurator on another computer, and then completed in Surface UEFI. Like the reset package, approving a Recovery Request with Microsoft Surface UEFI Configurator requires access to the SEMM certificate that was used to enroll the Surface device.
+
+To initiate a Recovery Request, follow these steps:
+
+1. Boot the Surface device that is to be unenrolled from SEMM to Surface UEFI.
+2. Type the Surface UEFI password if you are prompted to do so.
+3. Click the **Enterprise management** page, as shown in Figure 6.
+
+   ![Enterprise Management page](images\surface-semm-unenroll-fig6.png "Enterprise Management page")
+
+   *Figure 6. The Enterprise management page is displayed in Surface UEFI on devices enrolled in SEMM*
+
+4. Click or press **Get Started**.
+5. Click or press **Next** to begin the Recovery Request process.
+   >**Note:**  A Recovery Request expires two hours after it is created. If a Recovery Request is not completed in this time, you will have to restart the Recovery Request process.
+6. Select **SEMM Certificate** from the list of certificates displayed on the **Choose a SEMM reset key** page (shown in Figure 7), and then click or press **Next**.
+
+   ![Select SEMM certificate for your Recovery Request](images\surface-semm-unenroll-fig7.png "Select SEMM certificate for your Recovery Request")
+
+   *Figure 7. Choose SEMM Certificate for your Recovery Request (Reset Request)*
+
+7. On the **Enter SEMM reset verification code** page you can click the **QR Code** or **Text** buttons to display your Recovery Request (Reset Request) as shown in Figure 8, or the **USB** button to save your Recovery Request (Reset Request) as a file to a USB drive, as shown in Figure 9.
+
+   ![Recovery Request displayed as a QR Code](images\surface-semm-unenroll-fig8.png "Recovery Request displayed as a QR Code")
+
+   *Figure 8. A Recovery Request (Reset Request) displayed as a QR Code*
+
+   ![Save a recovery request to a USB drive](images\surface-semm-unenroll-fig9.png "Save a recovery request to a USB drive")
+
+   *Figure 9. Save a Recovery Request (Reset Request) to a USB drive*
+
+   * To use a QR Code Recovery Request (Reset Request), use a QR reader app on a mobile device to read the code. The QR reader app will translate the QR code into an alphanumeric string. You can then email or message that string to the administrator that will produce the reset verification code with Microsoft Surface UEFI Configurator.
+   * To use a Recovery Request (Reset Request) saved to a USB drive as a file, use the USB drive to transfer the file to the computer where Microsoft Surface UEFI Configurator will be used to produce the Reset Verification Code. The file can also be copied from the USB drive on another device to be emailed or transferred over the network.
+   * To use the Recovery Request (Reset Request) as text, simply type the text directly into Microsoft Surface UEFI Configurator.
+
+8. Open Microsoft Surface UEFI Configurator from the Start menu on another computer.
+>**Note:**  Microsoft Surface UEFI Configurator must run in an environment that is able to authenticate the certificate chain for the SEMM certificate.
+9. Click **Start**.
+10. Click **Recovery Request**, as shown in Figure 10.
+
+   ![Start process to approve a Recovery Request](images\surface-semm-unenroll-fig10.png "Start process to approve a Recovery Request")
+
+   *Figure 10. Click Recovery Request to begin the process to approve a Recovery Request*
+
+11.	Click **Certificate Protection** to authenticate the Recovery Request with the SEMM certificate.
+12.	Browse to and select your SEMM certificate file, and then click **OK**.
+13.	When you are prompted to enter the certificate password as shown in Figure 11, type and confirm the password for the certificate file, and then click **OK**.
+
+   ![Type password for SEMM certificate](images\surface-semm-unenroll-fig11.png "Type password for SEMM certificate")
+
+   *Figure 11. Type the password for the SEMM certificate*
+
+14. Click **Next**.
+15. Enter the Recovery Request (Reset Request), and then click **Generate** to create a reset verification code (as shown in Figure 12).
+
+   ![Enter the recovery request](images\surface-semm-unenroll-fig12.png "Enter the recovery request")
+
+   *Figure 12. Enter the Recovery Request (Reset Request)*
+
+   * If you displayed the Recovery Request (Reset Request) as text on the Surface device being reset, use the keyboard to type the Recovery Request (Reset Request)  in the provided field.
+   * If you displayed the Recovery Request (Reset Request) as a QR Code and then used a messaging or email application to send the code to the computer with Microsoft Surface UEFI Configurator, copy and paste the code into the provided field.
+   * If you saved the Recovery Request (Reset Request) as a file to a USB drive, click the **Import** button, browse to and select the Recovery Request (Reset Request) file, and then click **OK**.
+
+16.	The reset verification code is displayed in Microsoft Surface UEFI Configurator, as shown in Figure 13.
+
+   ![Display of the reset verification code](images\surface-semm-unenroll-fig13.png "Display of the reset verification code")
+
+   *Figure 13. The reset verification code displayed in Microsoft Surface UEFI Configurator*
+
+   * Click the **Share** button to send the reset verification code by email.
+
+17.	Enter the reset verification code in the provided field on the Surface device (shown in Figure 8), and then click or press **Verify** to reset the device and unenroll the device from SEMM.
+18.	Click or press **Restart now** on the **SEMM reset successful** page to complete the unenrollment from SEMM, as shown in Figure 14.
+
+   ![Example display of successful unenrollment from SEMM](images\surface-semm-unenroll-fig14.png "Example display of successful unenrollment from SEMM")
+
+   *Figure 14. Successful unenrollment from SEMM*
+
+19.	Click **End** in Microsoft Surface UEFI Configurator to complete the Recovery Request (Reset Request) process and close Microsoft Surface UEFI Configurator.
+
+

education/windows/take-a-test-multiple-pcs.md

@@ -20,10 +20,10 @@ author: jdeckerMS
 Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
 
 - A Microsoft Edge browser window opens, showing just the test and nothing else.
+- The clipboard is cleared.
 - Students aren’t able to go to other websites.
 - Students can’t open or access other apps.
 - Students can't share, print, or record their screens.
-- Students can’t copy or paste.
 - Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
 - Cortana is turned off.
 

education/windows/take-a-test-single-pc.md

@@ -20,10 +20,10 @@ author: jdeckerMS
 The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
 
 - A Microsoft Edge browser window opens, showing just the test and nothing else.
+- The clipboard is cleared.
 - Students aren’t able to go to other websites.
 - Students can’t open or access other apps.
 - Students can't share, print, or record their screens.
-- Students can’t copy or paste.
 - Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
 - Cortana is turned off.
 

education/windows/take-tests-in-windows-10.md

@@ -20,10 +20,10 @@ author: jdeckerMS
 Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
 
 - **Take a Test** shows just the test and nothing else.
+- **Take a Test** clears the clipboard.
 - Students aren’t able to go to other websites.
 - Students can’t open or access other apps.
 - Students can't share, print, or record their screens.
-- Students can’t copy or paste.
 - Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
 - Cortana is turned off.
 

windows/deploy/TOC.md

@@ -35,6 +35,7 @@
 ## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
 ## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
 ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
+## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
 ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
 ## [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
 ## [Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md)

windows/deploy/change-history-for-deploy-windows-10.md

@@ -15,7 +15,8 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc
 | New or changed topic | Description |
 |----------------------|-------------|
 | [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New |
-| [User State Migration Tool Technical Reference](usmt-technical-reference.md) | Updated |
+| [User State Migration Tool Technical Reference](usmt-technical-reference.md) | Updated support statement for Office 2016 |
+| [Windows 10 upgrade paths](windows-10-upgrade-paths.md) | New |
 
 ## May 2016
 | New or changed topic | Description |

windows/deploy/index.md

@@ -23,6 +23,7 @@ Learn about deploying Windows 10 for IT professionals.
 |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
 |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
+|[Windows 10 upgrade paths](windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. |
 |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
 |[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) |Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. |
 |[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |

windows/deploy/windows-10-edition-upgrades.md

@@ -15,17 +15,17 @@ author: greg-lindsay
 -   Windows 10
 -   Windows 10 Mobile
 
-With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkID=690882).
+With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md).
 
-The following table shows the methods you can use to upgrade editions of Windows 10.
+The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer.
 
 |Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise |
 |-------|-----------|-----------------|----------------|-----------------|----------------|--------|
-| Using mobile device management (MDM) |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |
-| Using a provisioning package |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |
-| Using a command-line tool |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) |
-| Entering a product key manually |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) |
-| Purchasing a license from the Windows Store |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |
+| Using mobile device management (MDM) |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |
+| Using a provisioning package |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |
+| Using a command-line tool |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
+| Entering a product key manually |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
+| Purchasing a license from the Windows Store |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |
 
 **Note**<br>Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
 

windows/deploy/windows-10-poc-mdt.md

@@ -0,0 +1,28 @@
+---
+title: Placeholder (Windows 10)
+description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
+
+**Applies to**
+
+-   Windows 10
+
+## In this guide
+
+## Related Topics
+
+ 
+
+ 
+
+
+
+
+

windows/deploy/windows-10-poc-sccm.md

@@ -0,0 +1,28 @@
+---
+title: Placeholder (Windows 10)
+description: Deploy Windows 10 in a test lab using System Center Configuration Manager 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# Deploy Windows 10 in a test lab using System Center Configuration Manager
+
+**Applies to**
+
+-   Windows 10
+
+## In this guide
+
+## Related Topics
+
+ 
+
+ 
+
+
+
+
+

windows/deploy/windows-10-upgrade-paths.md

@@ -0,0 +1,416 @@
+---
+title: Windows 10 upgrade paths (Windows 10)
+description: You can upgrade to Windows 10 from a previous version of Windows, providing the upgrade path is supported.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+author: greg-lindsay
+---
+
+# Windows 10 upgrade paths
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+## Upgrade paths
+
+This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).
+
+>**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.  
+
+>**Free upgrade**: Some upgrade paths qualify for a free upgrade using Windows Update. For a list of upgrade paths that are available as part of the free upgrade offer, see [Free upgrade paths](#Free-upgrade-paths).
+
+✔ = Full upgrade is supported including personal data, settings, and applications.<BR>
+D = Edition downgrade; personal data is maintained, applications and settings are removed.
+
+<table border="1" cellpadding="3">
+    <tr>
+        <td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
+        <td></td>
+        <td>Windows 10 Home</td>
+        <td>Windows 10 Pro</td>
+        <td>Windows 10 Pro for Education</td>
+        <td>Windows 10 Education</td>
+        <td>Windows 10 Enterprise</td>
+        <td>Windows 10 Mobile</td>
+        <td>Windows 10 Mobile Enterprise</td>
+    </tr>
+    <tr>
+        <td rowspan="7" nowrap="nowrap">Windows 7</td>
+    </tr>
+    <tr>
+        <td>Starter</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Home Basic</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Home Premium</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Professional</td>
+        <td>D</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Ultimate</td>
+        <td>D</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Enterprise</td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td rowspan="8" nowrap="nowrap">Windows 8</td>
+    </tr>
+    <tr>
+        <td>(Core)</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Professional</td>
+        <td>D</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Professional WMC</td>
+        <td>D</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Enterprise</td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Embedded Industry</td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Windows RT</td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Windows Phone 8</td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td rowspan="10" nowrap="nowrap">Windows 8.1</td>
+    </tr>
+    <tr>
+        <td>(Core)</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Connected</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Professional</td>
+        <td>D</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Professional Student</td>
+        <td>D</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Professional WMC</td>
+        <td>D</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Enterprise</td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Embedded Industry</td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Windows RT</td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Windows Phone 8.1</td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td>✔</td>
+        <td></td>
+    </tr>
+    <tr>
+        <td rowspan="7" nowrap="nowrap">Windows 10</td>
+    </tr>
+    <tr>
+        <td>Home</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Professional</td>
+        <td>D</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Education</td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td>✔</td>
+        <td>D</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Enterprise</td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td>✔</td>
+        <td>✔</td>
+        <td></td>
+        <td></td>
+    </tr>
+    <tr>
+        <td>Mobile</td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td>✔</td>
+        <td>✔</td>
+    </tr>
+    <tr>
+        <td>Mobile Enterprise</td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td>D</td>
+        <td>✔</td>
+    </tr>
+</table>
+
+## Free upgrade paths
+
+Windows 10 is offered as a free upgrade for the first year after launch of Windows 10, with the following restrictions: 
+- The offer expires on July 29th, 2016.
+- The offer applies to devices connected to the Internet with Windows Update enabled.
+- Upgrading to Windows 10 Pro requires a computer running the Pro or Ultimate version of Windows 7/8/8.1.
+- Windows Phone 8.0 users must update to Windows 8.1 before upgrading to Windows 10 Mobile<sup>1</sup>. 
+- Editions that are excluded from the free upgrade offer include: Windows 7 Enterprise, Windows 8/8.1 Enterprise, and Windows RT/RT 8.1<sup>2</sup>. 
+
+><sup>1</sup>The availability of Windows 10 Mobile for Windows 8.1 devices will vary by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. For a list of eligible phones and important info about the upgrade and Windows 10 Mobile, see [Windows 10 specifications](http://windows.com/specsmobile).
+
+><sup>2</sup>Active Software Assurance customers in volume licensing have the benefit to upgrade to Windows 10 Enterprise outside of this offer. Windows 10 is not supported on devices running the RT versions of Windows 8.
+
+The following table summarizes the free upgrade paths to Windows 10. For a list of frequently asked questions about the free upgrade to Windows 10, see [Upgrade to Windows 10: FAQ](http://windows.microsoft.com/en-us/windows-10/upgrade-to-windows-10-faq).
+
+<table border="1" cellpadding="3">
+    <tr>
+        <td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
+        <td>From</td>
+        <td>To</td>
+    </tr>
+    <tr>
+        <td BGCOLOR="#a0e4fa" colspan="3">Windows 7</td>
+    </tr>
+    <tr>
+        <td></td>
+        <td>Windows 7 Starter</td>
+        <td rowspan="3">Windows 10 Home</td>
+    </tr>
+    <tr>
+        <td>&nbsp;</td>
+        <td>Windows 7 Home Basic</td>
+    </tr>
+    <tr>
+        <td>&nbsp;</td>
+        <td>Windows 7 Home Premium</td>
+    </tr>
+    <tr>
+        <td></td>
+        <td>Windows 7 Professional</td>
+        <td rowspan="2">Windows 10 Pro</td>
+    </tr>
+    <tr>
+        <td>&nbsp;</td>
+        <td>Windows 7 Ultimate</td>
+    </tr>
+        <tr>
+	        <td BGCOLOR="#a0e4fa" colspan="3">Windows 8/8.1</td>
+	    </tr>
+	    <tr>
+	        <td></td>
+	        <td>Windows Phone 8.1</td>
+	        <td>Windows 10 Mobile</td>
+       </tr>
+	    <tr>
+	        <td></td>
+	        <td>Windows 8/8.1</td>
+	        <td>Windows 10 Home</td>
+       </tr>
+    <tr>
+        <td></td>
+        <td>Windows 8/8.1 Pro</td>
+        <td rowspan="2">Windows 10 Pro</td>
+    </tr>
+    <tr>
+        <td>&nbsp;</td>
+        <td>Windows 8/8.1 Pro for Students</td>
+    </tr>
+
+</table>
+
+## Related Topics
+
+[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)<BR>
+[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+ 
+
+ 
+
+
+
+
+

windows/deploy/windows-upgrade-and-migration-considerations.md

@@ -8,13 +8,13 @@ ms.sitesec: library
 author: greg-lindsay
 ---
 
-# Windows Upgrade and Migration Considerations
+# Windows upgrade and migration considerations
 Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration.
 
-## Upgrade from a Previous Version of Windows
+## Upgrade from a previous version of Windows
 You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete.
 
-## Migrate Files and Settings
+## Migrate files and settings
 Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves.
 
 For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](http://go.microsoft.com/fwlink/p/?LinkId=131349).
@@ -29,13 +29,13 @@ With Windows Easy Transfer, files and settings can be transferred using a netwo
 ### Migrate with the User State Migration Tool
 You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded.
 
-## Upgrade and Migration Considerations
+## Upgrade and migration monsiderations
 Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
 
-### Application Compatibility
+### Application compatibility
 For more information about application compatibility in Windows, see the [Application Compatibility Toolkit (ACT)](http://go.microsoft.com/fwlink/p/?LinkId=131349).
 
-### Multilingual Windows Image Upgrades
+### Multilingual Windows image upgrades
 When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English.
 
 If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed.
@@ -43,7 +43,7 @@ If you are using a single-language Windows image that matches the system default
 ### Errorhandler.cmd
 When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run.
 
-### Data Drive ACL Migration
+### Data drive ACL migration
 During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files.
 
 Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature:
@@ -57,7 +57,10 @@ Value: "DDACLSys_Disabled" = 1
 This feature is disabled if this registry key value exists and is configured to `1`.
 
 ## Related topics
-- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)<BR>
+[Windows 10 upgrade paths](windows-10-upgrade-paths.md)<BR>
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
+
 
  
 

windows/keep-secure/TOC.md

@@ -28,7 +28,18 @@
 #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
 ## [VPN profile options](vpn-profile-options.md)
+## [Windows security baselines](windows-security-baselines.md)
 ## [Security technologies](security-technologies.md)
+### [Access Control Overview](access-control.md)
+#### [Dynamic Access Control Overview](dynamic-access-control.md)
+#### [Security identifiers](security-identifiers.md)
+#### [Security Principals](security-principals.md)
+#### [Local Accounts](local-accounts.md)
+#### [Active Directory Accounts](active-directory-accounts.md)
+#### [Microsoft Accounts](microsoft-accounts.md)
+#### [Service Accounts](service-accounts.md)
+#### [Active Directory Security Groups](active-directory-security-groups.md)
+#### [Special Identities](special-identities.md)
 ### [AppLocker](applocker-overview.md)
 #### [Administer AppLocker](administer-applocker.md)
 ##### [Maintain AppLocker policies](maintain-applocker-policies.md)
@@ -670,7 +681,6 @@
 #### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
 #### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
 #### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
-<!--##### [Service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
 ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
 ##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
 ##### [Additional configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
@@ -692,6 +702,7 @@
 ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
 #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
 #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
+#### [Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)
 #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
 ### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
 #### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)

windows/keep-secure/access-control.md

@@ -0,0 +1,137 @@
+---
+title: Access Control Overview (Windows 10)
+description: Access Control Overview
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Access Control Overview
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.
+
+## <a href="" id="bkmk-over"></a>Feature description
+
+
+Computers that are running a supported version of Windows can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. After a user is authenticated, the Windows operating system uses built-in authorization and access control technologies to implement the second phase of protecting resources: determining if an authenticated user has the correct permissions to access a resource.
+
+Shared resources are available to users and groups other than the resource’s owner, and they need to be protected from unauthorized use. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They are assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it.
+
+Security principals perform actions (which include Read, Write, Modify, or Full control) on objects. Objects include files, folders, printers, registry keys, and Active Directory Domain Services (AD DS) objects. Shared resources use access control lists (ACLs) to assign permissions. This enables resource managers to enforce access control in the following ways:
+
+-   Deny access to unauthorized users and groups
+
+-   Set well-defined limits on the access that is provided to authorized users and groups
+
+Object owners generally grant permissions to security groups rather than to individual users. Users and computers that are added to existing groups assume the permissions of that group. If an object (such as a folder) can hold other objects (such as subfolders and files), it is called a container. In a hierarchy of objects, the relationship between a container and its content is expressed by referring to the container as the parent. An object in the container is referred to as the child, and the child inherits the access control settings of the parent. Object owners often define permissions for container objects, rather than individual child objects, to ease access control management.
+
+This content set contains:
+
+-   [Dynamic Access Control Overview](dynamic-access-control.md)
+
+-   [Security identifiers](security-identifiers.md)
+
+-   [Security Principals](security-principals.md)
+
+    -   [Local Accounts](local-accounts.md)
+
+    -   [Active Directory Accounts](active-directory-accounts.md)
+
+    -   [Microsoft Accounts](microsoft-accounts.md)
+
+    -   [Service Accounts](service-accounts.md)
+
+    -   [Active Directory Security Groups](active-directory-security-groups.md)
+
+## <a href="" id="bkmk-app"></a>Practical applications
+
+
+Administrators who use the supported version of Windows can refine the application and management of access control to objects and subjects to provide the following security:
+
+-   Protect a greater number and variety of network resources from misuse.
+
+-   Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs.
+
+-   Enable users to access resources from a variety of devices in numerous locations.
+
+-   Update users’ ability to access resources on a regular basis as an organization’s policies change or as users’ jobs change.
+
+-   Account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones).
+
+-   Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs.
+
+## Permissions
+
+
+Permissions define the type of access that is granted to a user or group for an object or object property. For example, the Finance group can be granted Read and Write permissions for a file named Payroll.dat.
+
+By using the access control user interface, you can set NTFS permissions for objects such as files, Active Directory objects, registry objects, or system objects such as processes. Permissions can be granted to any user, group, or computer. It is a good practice to assign permissions to groups because it improves system performance when verifying access to an object.
+
+For any object, you can grant permissions to:
+
+-   Groups, users, and other objects with security identifiers in the domain.
+
+-   Groups and users in that domain and any trusted domains.
+
+-   Local groups and users on the computer where the object resides.
+
+The permissions attached to an object depend on the type of object. For example, the permissions that can be attached to a file are different from those that can be attached to a registry key. Some permissions, however, are common to most types of objects. These common permissions are:
+
+-   Read
+
+-   Modify
+
+-   Change owner
+
+-   Delete
+
+When you set permissions, you specify the level of access for groups and users. For example, you can let one user read the contents of a file, let another user make changes to the file, and prevent all other users from accessing the file. You can set similar permissions on printers so that certain users can configure the printer and other users can only print.
+
+When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and click **Properties**. On the **Security** tab, you can change permissions on the file. For more information, see [Managing Permissions](http://technet.microsoft.com/library/cc770962.aspx).
+
+**Note**  
+Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](http://technet.microsoft.com/library/cc754178.aspx).
+
+ 
+
+### Ownership of objects
+
+An owner is assigned to an object when that object is created. By default, the owner is the creator of the object. No matter what permissions are set on an object, the owner of the object can always change the permissions. For more information, see [Manage Object Ownership](http://technet.microsoft.com/library/cc732983.aspx).
+
+### Inheritance of permissions
+
+Inheritance allows administrators to easily assign and manage permissions. This feature automatically causes objects within a container to inherit all the inheritable permissions of that container. For example, the files within a folder inherit the permissions of the folder. Only permissions marked to be inherited will be inherited.
+
+## User rights
+
+
+User rights grant specific privileges and sign-in rights to users and groups in your computing environment. Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories.
+
+User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
+
+For more information about user rights, see [User Rights Assignment](user-rights-assignment.md).
+
+## Object auditing
+
+
+With administrator's rights, you can audit users' successful or failed access to objects. You can select which object access to audit by using the access control user interface, but first you must enable the audit policy by selecting **Audit object access** under **Local Policies** in **Local Security Settings**. You can then view these security-related events in the Security log in Event Viewer.
+
+For more information about auditing, see [Security Auditing Overview](security-auditing-overview.md).
+
+## See also
+
+-   For more information about access control and authorization, see [Access Control and Authorization Overview](https://technet.microsoft.com/en-us/library/jj134043(v=ws.11).aspx).
+
+
+ 
+
+ 
+
+
+
+

windows/keep-secure/active-directory-accounts.md

@@ -0,0 +1,851 @@
+---
+title: Active Directory Accounts (Windows 10)
+description: Active Directory Accounts
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Active Directory Accounts
+
+**Applies to**
+-   Windows Server 2016
+
+Windows Server operating systems are installed with default local accounts. In addition, you can create user accounts to meet the requirements of your organization. This reference topic for the IT professional describes the Windows Server default local accounts that are stored locally on the domain controller and are used in Active Directory.
+
+This reference topic does not describe default local user accounts for a member or standalone server or for a Windows client. For more information, see [Local Accounts](local-accounts.md).
+
+## About this topic
+
+
+This topic describes the following:
+
+-   [Default local accounts in Active Directory](#sec-ad-default-accounts)
+
+    -   [Administrator account](#sec-administrator)
+
+    -   [Guest account](#sec-guest)
+
+    -   [HelpAssistant account (installed with a Remote Assistance session)](#sec-helpassistant)
+
+    -   [KRBTGT account](#sec-krbtgt)
+
+-   [Settings for default local accounts in Active Directory](#sec-account-settings)
+
+-   [Manage default local accounts in Active Directory](#sec-manage-local-accounts)
+
+-   [Restrict and protect sensitive domain accounts](#sec-restrict-protect-accounts)
+
+    -   [Separate administrator accounts from user accounts](#task1-separate-admin-accounts)
+
+    -   [Create dedicated workstation hosts without Internet and email access](#task2-admin-workstations)
+
+    -   [Restrict administrator logon access to servers and workstations](#task3-restrict-admin-logon)
+
+    -   [Disable the account delegation right for administrator accounts](#task4-disable-account-delegation)
+
+-   [Secure and manage domain controllers](#sec-secure-manage-dcs)
+
+## <a href="" id="sec-ad-default-accounts"></a>Default local accounts in Active Directory
+
+
+Default local accounts are built-in accounts that are created automatically when a Windows Server domain controller is installed and the domain is created. These default local accounts have counterparts in Active Directory. These accounts also have domain-wide access and are completely separate from the default local user accounts for a member or standalone server.
+
+You can assign rights and permissions to default local accounts on a particular domain controller, and only on that domain controller. These accounts are local to the domain. After the default local accounts are installed, they are stored in the Users container in Active Directory Users and Computers. It is a best practice to keep the default local accounts in the User container and not attempt to move these accounts, for example, to a different organizational unit (OU).
+
+The default local accounts in the Users container include: Administrator, Guest, and KRBTGT. The HelpAssistant account is installed when a Remote Assistance session is established. The following sections describe the default local accounts and their use in Active Directory.
+
+Primarily, default local accounts do the following:
+
+-   Let the domain represent, identify, and authenticate the identity of the user that is assigned to the account by using unique credentials (user name and password). It is a best practice to assign each user to a single account to ensure maximum security. Multiple users are not allowed to share one account. A user account lets a user sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain.
+
+-   Authorize (grant or deny) access to resources. After a user’s credentials have been authenticated, the user is authorized to access the network and domain resources based on the user’s explicitly assigned rights on the resource.
+
+-   Audit the actions that are carried out on a user account.
+
+In Active Directory, default local accounts are used by administrators to manage domain and member servers directly and from dedicated administrative workstations. Active Directory accounts provide access to network resources. Active Directory User accounts and Computer accounts can represent a physical entity, such as a computer or person, or act as dedicated service accounts for some applications.
+
+Each default local account is automatically assigned to a security group that is preconfigured with the appropriate rights and permissions to perform specific tasks. Active Directory security groups collect user accounts, computer accounts, and other groups into manageable units. For more information, see [Active Directory Security Groups](active-directory-security-groups.md).
+
+On an Active Directory domain controller, each default local account is referred to as a security principal. A security principal is a directory object that is used to secure and manage Active Directory services that provide access to domain controller resources. A security principal includes objects such as user accounts, computer accounts, security groups, or the threads or processes that run in the security context of a user or computer account. For more information, see [Security Principals](security-principals.md).
+
+A security principal is represented by a unique security identifier (SID).The SIDs that are related to each of the default local accounts in Active Directory are described in the sections below.
+
+Some of the default local accounts are protected by a background process that periodically checks and applies a specific security descriptor. A security descriptor is a data structure that contains security information that is associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the default local accounts or groups is overwritten with the protected settings.
+
+This security descriptor is present on the AdminSDHolder object. If you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the AdminSDHolder object to ensure that it is applied consistently. Be careful when making these modifications, because you are also changing the default settings that are applied to all of your protected accounts.
+
+## <a href="" id="sec-administrator"></a>Administrator account
+
+
+The Administrator account is a default account that is used in all versions of the Windows operating system on every computer and device. The Administrator account is used by the system administrator for tasks that require administrative credentials. This account cannot be deleted or locked out, but the account can be renamed or disabled.
+
+The Administrator account gives the user complete access (Full Control permissions) of the files, directories, services, and other resources that are on that local server. The Administrator account can be used to create local users, and assign user rights and access control permissions. Administrator can also be used to take control of local resources at any time simply by changing the user rights and permissions. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions.
+
+**Account group membership**
+
+The Administrator account has membership in the default security groups as described in the Administrator account attributes table later in this topic.
+
+The security groups ensure that you can control administrator rights without having to change each Administrator account. In most instances, you do not have to change the basic settings for this account. However, you might have to change its advanced settings, such as membership in particular groups.
+
+**Security considerations**
+
+After installation of the server operating system, your first task is to set up the Administrator account properties securely. This includes setting up an especially long, strong password, and securing the Remote control and Remote Desktop Services profile settings.
+
+The Administrator account can also be disabled when it is not required. Renaming or disabling the Administrator account makes it more difficult for malicious users to try to gain access to the account. However, even when the Administrator account is disabled, it can still be used to gain access to a domain controller by using safe mode.
+
+On a domain controller, the Administrator account becomes the Domain Admin account. The Domain Admin account is used to sign in to the domain controller and this account requires a strong password. The Domain Admin account gives you access to domain resources.
+
+**Note**  
+When the domain controller is initially installed, you can sign in and use Server Manager to set up a local Administrator account, with the rights and permissions you want to assign. For example, you can use a local Administrator account to manage the operating system when you first install it. By using this approach, you can set up the operating system without getting locked out. Generally, you do not need to use the account after installation. You can only create local user accounts on the domain controller, before Active Directory Domain Services is installed, and not afterwards.
+
+ 
+
+When Active Directory is installed on the first domain controller in the domain, the Administrator account is created for Active Directory. The Administrator account is the most powerful account in the domain. It is given domain-wide access and administrative rights to administer the computer and the domain, and it has the most extensive rights and permissions over the domain. The person who installs Active Directory Domain Services on the computer creates the password for this account during the installation.
+
+**Administrator account attributes**
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Attribute</th>
+<th>Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td><p>Well-Known SID/RID</p></td>
+<td><p>S-1-5-&lt;domain&gt;-500</p></td>
+</tr>
+<tr class="even">
+<td><p>Type</p></td>
+<td><p>User</p></td>
+</tr>
+<tr class="odd">
+<td><p>Default container</p></td>
+<td><p>CN=Users, DC=&lt;domain&gt;, DC=</p></td>
+</tr>
+<tr class="even">
+<td><p>Default members</p></td>
+<td><p>N/A</p></td>
+</tr>
+<tr class="odd">
+<td><p>Default member of</p></td>
+<td><p>Administrators, Domain Admins, Enterprise Administrators, Domain Users. Note that the Primary Group ID of all user accounts is Domain Users.</p>
+<p>Group Policy Creator Owners, and Schema Admins in Active Directory</p>
+<p>Domain Users group</p></td>
+</tr>
+<tr class="even">
+<td><p>Protected by ADMINSDHOLDER?</p></td>
+<td><p>Yes</p></td>
+</tr>
+<tr class="odd">
+<td><p>Safe to move out of default container?</p></td>
+<td><p>Yes</p></td>
+</tr>
+<tr class="even">
+<td><p>Safe to delegate management of this group to non-service administrators?</p></td>
+<td><p>No</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="sec-guest"></a>Guest account
+
+
+The Guest account is a default local account has limited access to the computer and is disabled by default. The Guest account cannot be deleted or disabled, and the account name cannot be changed. By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed without requiring the user to enter a password.
+
+The Guest account enables occasional or one-time users, who do not have an individual account on the computer, to sign in to the local server or domain with restricted rights and permissions. The Guest account can be enabled, and the password can be set up if needed, but only by a member of the Administrator group on the domain.
+
+**Account group membership**
+
+The Guest account has membership in the default security groups that are described in the following Guest account attributes table. By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server, and the Domain Guests global group, which lets a user sign in to a domain.
+
+A member of the Administrators group or Domain Admins group can set up a user with a Guest account on one or more computers.
+
+**Security considerations**
+
+Because the Guest account can provide anonymous access, it is a security risk. It also has a well-known SID. For this reason, it is a best practice to leave the Guest account disabled, unless its use is required and then only with restricted rights and permissions for a very limited period of time.
+
+When the Guest account is required, an Administrator on the domain controller is required to enable the Guest account. The Guest account can be enabled without requiring a password, or it can be enabled with a strong password. The Administrator also grants restricted rights and permissions for the Guest account. To help prevent unauthorized access:
+
+-   Do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer.
+
+-   Do not provide the Guest account with the ability to view the event logs. After the Guest account is enabled, it is a best practice to monitor this account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
+
+-   Do not use the Guest account when the server has external network access or access to other computers.
+
+If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As with the Administrator account, you might want to rename the account as an added security precaution.
+
+In addition, an administrator is responsible for managing the Guest account. The administrator monitors the Guest account, disables the Guest account when it is no longer in use, and changes or removes the password as needed.
+
+For details about the Guest account attributes, see the following table.
+
+**Guest account attributes**
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Attribute</th>
+<th>Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td><p>Well-Known SID/RID</p></td>
+<td><p>S-1-5-&lt;domain&gt;-501</p></td>
+</tr>
+<tr class="even">
+<td><p>Type</p></td>
+<td><p>User</p></td>
+</tr>
+<tr class="odd">
+<td><p>Default container</p></td>
+<td><p>CN=Users, DC=&lt;domain&gt;, DC=</p></td>
+</tr>
+<tr class="even">
+<td><p>Default members</p></td>
+<td><p>None</p></td>
+</tr>
+<tr class="odd">
+<td><p>Default member of</p></td>
+<td><p>Guests, Domain Guests</p></td>
+</tr>
+<tr class="even">
+<td><p>Protected by ADMINSDHOLDER?</p></td>
+<td><p>No</p></td>
+</tr>
+<tr class="odd">
+<td><p>Safe to move out of default container?</p></td>
+<td><p>Can be moved out, but we do not recommend it.</p></td>
+</tr>
+<tr class="even">
+<td><p>Safe to delegate management of this group to non-Service admins?</p></td>
+<td><p>No</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="sec-helpassistant"></a>HelpAssistant account (installed with a Remote Assistance session)
+
+
+The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
+
+HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user’s invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
+
+**Security considerations**
+
+The SIDs that pertain to the default HelpAssistant account include:
+
+-   SID: S-1-5-&lt;domain&gt;-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services.
+
+-   SID: S-1-5-&lt;domain&gt;-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
+
+For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.
+
+For details about the HelpAssistant account attributes, see the following table.
+
+**HelpAssistant account attributes**
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Attribute</th>
+<th>Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td><p>Well-Known SID/RID</p></td>
+<td><p>S-1-5-&lt;domain&gt;-13 (Terminal Server User), S-1-5-&lt;domain&gt;-14 (Remote Interactive Logon)</p></td>
+</tr>
+<tr class="even">
+<td><p>Type</p></td>
+<td><p>User</p></td>
+</tr>
+<tr class="odd">
+<td><p>Default container</p></td>
+<td><p>CN=Users, DC=&lt;domain&gt;, DC=</p></td>
+</tr>
+<tr class="even">
+<td><p>Default members</p></td>
+<td><p>None</p></td>
+</tr>
+<tr class="odd">
+<td><p>Default member of</p></td>
+<td><p>Domain Guests</p>
+<p>Guests</p></td>
+</tr>
+<tr class="even">
+<td><p>Protected by ADMINSDHOLDER?</p></td>
+<td><p>No</p></td>
+</tr>
+<tr class="odd">
+<td><p>Safe to move out of default container?</p></td>
+<td><p>Can be moved out, but we do not recommend it.</p></td>
+</tr>
+<tr class="even">
+<td><p>Safe to delegate management of this group to non-Service admins?</p></td>
+<td><p>No</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="sec-krbtgt"></a>KRBTGT account
+
+
+The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.
+
+KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.
+
+Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC.
+
+### KRBTGT account maintenance considerations
+
+A strong password is assigned to the KRBTGT account automatically. Be sure that you change the password on a regular schedule. The password for the KDC account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets.
+
+On occasion, the KRBTGT account password requires a reset, for example, when an attempt to change the password on the KRBTGT account fails. In order to resolve this issue, you reset the KRBTGT user account password twice by using Active Directory Users and Computers. You must reset the password twice because the KRBTGT account stores only two of the most recent passwords in the password history. By resetting the password twice, you effectively clear all passwords from the password history.
+
+Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
+
+After you reset the KRBTGT password, ensure that event ID 6 in the (Kerberos) Key-Distribution-Center event source is written to the System event log.
+
+### Security considerations
+
+It is also a best practice to reset the KRBTGT account password to ensure that a newly restored domain controller does not replicate with a compromised domain controller. In this case, in a large forest recovery that is spread across multiple locations, you cannot guarantee that all domain controllers are shut down, and if they are shut down, they cannot be rebooted again before all of the appropriate recovery steps have been undertaken. After you reset the KRBTGT account, another domain controller cannot replicate this account password by using an old password.
+
+An organization suspecting domain compromise of the KRBTGT account should consider the use of professional incident response services. The impact to restore the ownership of the account is domain-wide and labor intensive an should be undertaken as part of a larger recovery effort.
+
+The KRBTGT password is the key from which all trust in Kerberos chains up to. Resetting the KRBTGT password is similar to renewing the root CA certificate with a new key and immediately not trusting the old key, resulting in almost all subsequent Kerberos operations will be affected.
+
+For all account types (users, computers, and services)
+
+-   All the TGTs that are already issued and distributed will be invalid because the DCs will reject them. These tickets are encrypted with the KRBTGT so any DC can validate them. When the password changes, the tickets become invalid.
+
+-   All currently authenticated sessions that logged on users have established (based on their service tickets) to a resource (such as a file share, SharePoint site, or Exchange server) are good until the service ticket is required to re-authenticate.
+
+-   NTLM authenticated connections are not affected
+
+Because it is impossible to predict the specific errors that will occur for any given user in a production operating environment, you must assume all computers and users will be affected.
+
+**Important**  
+Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer.
+
+For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](http://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/).
+
+### Read-only domain controllers and the KRBTGT account
+
+Windows Server 2008 introduced the read-only domain controller (RODC). The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different KRBTGT account and password than the KDC on a writable domain controller when it signs or encrypts ticket-granting ticket (TGT) requests. After an account is successfully authenticated, the RODC determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC by using the Password Replication Policy.
+
+After the credentials are cached on the RODC, the RODC can accept that user's sign-in requests until the credentials change. When a TGT is signed with the KRBTGT account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller.
+
+### KRBTGT account attributes
+
+For details about the KRBTGT account attributes, see the following table.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Attribute</th>
+<th>Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td><p>Well-Known SID/RID</p></td>
+<td><p>S-1-5-&lt;domain&gt;-502</p></td>
+</tr>
+<tr class="even">
+<td><p>Type</p></td>
+<td><p>User</p></td>
+</tr>
+<tr class="odd">
+<td><p>Default container</p></td>
+<td><p>CN=Users, DC=&lt;domain&gt;, DC=</p></td>
+</tr>
+<tr class="even">
+<td><p>Default members</p></td>
+<td><p>None</p></td>
+</tr>
+<tr class="odd">
+<td><p>Default member of</p></td>
+<td><p>Domain Users group. Note that the Primary Group ID of all user accounts is Domain Users.</p></td>
+</tr>
+<tr class="even">
+<td><p>Protected by ADMINSDHOLDER?</p></td>
+<td><p>Yes</p></td>
+</tr>
+<tr class="odd">
+<td><p>Safe to move out of default container?</p></td>
+<td><p>Can be moved out, but we do not recommend it.</p></td>
+</tr>
+<tr class="even">
+<td><p>Safe to delegate management of this group to non-Service admins?</p></td>
+<td><p>No</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="sec-account-settings"></a>Settings for default local accounts in Active Directory
+
+
+Each default local account in Active Directory has a number of account settings that you can use to configure password settings and security-specific information, as described in the following table.
+
+**Settings for default local accounts in Active Directory**
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Account settings</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td><p>User must change password at next logon</p></td>
+<td><p>Forces a password change the next time that the user logs signs in to the network. Use this option when you want to ensure that the user is the only person to know his or her password.</p></td>
+</tr>
+<tr class="even">
+<td><p>User cannot change password</p></td>
+<td><p>Prevents the user from changing the password. Use this option when you want to maintain control over a user account, such as for a Guest or temporary account.</p></td>
+</tr>
+<tr class="odd">
+<td><p>Password never expires</p></td>
+<td><p>Prevents a user password from expiring. It is a best practice to enable this option with service accounts and to use strong passwords.</p></td>
+</tr>
+<tr class="even">
+<td><p>Store passwords using reversible encryption</p></td>
+<td><p>Provides support for applications that use protocols requiring knowledge of the plaintext form of the user’s password for authentication purposes.</p>
+<p>This option is required when using Challenge Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using digest authentication in Internet Information Services (IIS).</p></td>
+</tr>
+<tr class="odd">
+<td><p>Account is disabled</p></td>
+<td><p>Prevents the user from signing in with the selected account. As an administrator, you can use disabled accounts as templates for common user accounts.</p></td>
+</tr>
+<tr class="even">
+<td><p>Smart card is required for interactive logon</p></td>
+<td><p>Requires that a user has a smart card to sign on to the network interactively. The user must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart card.</p>
+<p>When this attribute is applied on the account, the effect is as follows:</p>
+<ul>
+<li><p>The attribute only restricts initial authentication for interactive logon and Remote Desktop logon. When interactive or Remote Desktop logon requires a subsequent network logon, such as with a domain credential, an NT Hash provided by the domain controller is used to complete the smartcard authentication process</p></li>
+<li><p>Each time the attribute is enabled on an account, the account’s current password hash value is replaced with a 128-bit random number. This invalidates the use of any previously configured passwords for the account. The value does not change after that unless a new password is set or the attribute is disabled and re-enabled.</p></li>
+<li><p>Accounts with this attribute cannot be used to start services or run scheduled tasks.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td><p>Account is trusted for delegation</p></td>
+<td><p>Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the <strong>Delegation</strong> tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the <strong>setspn</strong> command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.</p></td>
+</tr>
+<tr class="even">
+<td><p>Account is sensitive and cannot be delegated</p></td>
+<td><p>Gives control over a user account, such as for a Guest account or a temporary account. This option can be used if this account cannot be assigned for delegation by another account.</p></td>
+</tr>
+<tr class="odd">
+<td><p>Use DES encryption types for this account</p></td>
+<td><p>Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see [Hunting down DES in order to securely deploy Kerberos](http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td><p>Do not require Kerberos preauthentication</p></td>
+<td><p>Provides support for alternate implementations of the Kerberos protocol. Because preauthentication provides additional security, use caution when enabling this option. Note that domain controllers running Windows 2000 or Windows Server 2003 can use other mechanisms to synchronize time.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="sec-manage-local-accounts"></a>Manage default local accounts in Active Directory
+
+
+After the default local accounts are installed, these accounts reside in the Users container in Active Directory Users and Computers. Default local accounts can be created, disabled, reset, and deleted by using the Active Directory Users and Computers Microsoft Management Console (MMC) and by using command-line tools.
+
+You can use Active Directory Users and Computers to assign rights and permissions on a given local domain controller, and that domain controller only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer. In contrast, an access permission is a rule that is associated with an object, usually a file, folder, or printer, that regulates which users can have access to the object and in what manner.
+
+For more information about creating and managing local user accounts in Active Directory, see [Manage Local Users](http://technet.microsoft.com/library/cc731899.aspx).
+
+You can also use Active Directory Users and Computers on a domain controller to target remote computers that are not domain controllers on the network.
+
+You can obtain recommendations from Microsoft for domain controller configurations that you can distribute by using the Security Compliance Manager (SCM) tool. For more information, see [Microsoft Security Compliance Manager](http://technet.microsoft.com/library/cc677002.aspx).
+
+Some of the default local user accounts are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information that is associated with a protected object. This security descriptor is present on the AdminSDHolder object.
+
+This means, when you want to modify the permissions on a service administrator group or on any of its member accounts, you are also required to modify the security descriptor on the AdminSDHolder object. This approach ensures that the permissions are applied consistently. Be careful when you make these modifications, because this action can also affect the default settings that are applied to all of your protected administrative accounts.
+
+## <a href="" id="sec-restrict-protect-accounts"></a>Restrict and protect sensitive domain accounts
+
+
+Restricting and protecting domain accounts in your domain environment requires you to adopt and implement the following best practices approach:
+
+-   Strictly limit membership to the Administrators, Domain Admins, and Enterprise Admins groups.
+
+-   Stringently control where and how domain accounts are used.
+
+Member accounts in the Administrators, Domain Admins, and Enterprise Admins groups in a domain or forest are high-value targets for malicious users. It is a best practice to strictly limit membership to these administrator groups to the smallest number of accounts in order to limit any exposure. Restricting membership in these groups reduces the possibility that an administrator might unintentionally misuse these credentials and create a vulnerability that malicious users can exploit.
+
+Moreover, it is a best practice to stringently control where and how sensitive domain accounts are used. Restrict the use of Domain Admins accounts and other administrator accounts to prevent them from being used to sign in to management systems and workstations that are secured at the same level as the managed systems. When administrator accounts are not restricted in this manner, each workstation from which a domain administrator signs in provides another location that malicious users can exploit.
+
+Implementing these best practices is separated into the following tasks:
+
+-   [Separate administrator accounts from user accounts](#task1-separate-admin-accounts)
+
+-   [Create dedicated workstation hosts for administrators](#task2-admin-workstations)
+
+-   [Restrict administrator logon access to servers and workstations](#task3-restrict-admin-logon)
+
+-   [Disable the account delegation right for administrator accounts](#task4-disable-account-delegation)
+
+Note that, to provide for instances where integration challenges with the domain environment are expected, each task is described according to the requirements for a minimum, better, and ideal implementation. As with all significant changes to a production environment, ensure that you test these changes thoroughly before you implement and deploy them. Then stage the deployment in a manner that allows for a rollback of the change in case technical issues occur.
+
+### <a href="" id="task1-separate-admin-accounts"></a>Separate administrator accounts from user accounts
+
+Restrict Domain Admins accounts and other sensitive accounts to prevent them from being used to sign in to lower trust servers and workstations. Restrict and protect administrator accounts by segregating administrator accounts from standard user accounts, by separating administrative duties from other tasks, and by limiting the use of these accounts. Create dedicated accounts for administrative personnel who require administrator credentials to perform specific administrative tasks, and then create separate accounts for other standard user tasks, according to the following guidelines:
+
+-   **Privileged account**. Allocate administrator accounts to perform the following administrative duties only:
+
+    -   **Minimum**. Create separate accounts for domain administrators, enterprise administrators, or the equivalent with appropriate administrator rights in the domain or forest. Use accounts that have been granted sensitive administrator rights only to administer domain data and domain controllers.
+
+    -   **Better**. Create separate accounts for administrators that have reduced administrative rights, such as accounts for workstation administrators, and accounts with user rights over designated Active Directory organizational units (OUs).
+
+    -   **Ideal**. Create multiple, separate accounts for an administrator who has a variety of job responsibilities that require different trust levels. Set up each administrator account with significantly different user rights, such as for workstation administration, server administration and domain administration, to let the administrator sign in to given workstations, servers and domain controllers based strictly on his or her job responsibilities.
+
+-   **Standard user account**. Grant standard user rights for standard user tasks, such as email, web browsing, and using line-of-business (LOB) applications. These accounts should not be granted administrator rights.
+
+**Important**  
+Ensure that sensitive administrator accounts cannot access email or browse the Internet as described in the following section.
+
+ 
+
+### <a href="" id="task2-admin-workstations"></a>Create dedicated workstation hosts without Internet and email access
+
+Administrators need to manage job responsibilities that require sensitive administrator rights from a dedicated workstation because they do not have easy physical access to the servers. A workstation that is connected to the Internet and has email and web browsing access is regularly exposed to compromise through phishing, downloading, and other types of Internet attacks. Because of these threats, it is a best practice to set these administrators up by using workstations that are dedicated to administrative duties only, and not provide access to the Internet, including email and web browsing. For more information, see [Separate administrator accounts from user accounts](#task1-separate-admin-accounts).
+
+**Note**  
+If the administrators in your environment can sign in locally to managed servers and perform all tasks without elevated rights or domain rights from their workstation, you can skip this task.
+
+ 
+
+-   **Minimum**. Build dedicated administrative workstations and block Internet access on those workstations including web browsing and email. Use the following ways to block Internet access:
+
+    -   Configure authenticating boundary proxy services, if they are deployed, to disallow administrator accounts from accessing the Internet.
+
+    -   Configure boundary firewall or proxy services to disallow Internet access for the IP addresses that are assigned to dedicated administrative workstations.
+
+    -   Block outbound access to the boundary proxy servers in the Windows Firewall.
+
+    The instructions for meeting this minimum requirement are described in the following procedure.
+
+-   **Better**. Do not grant administrators membership in the local Administrator group on the computer in order to restrict the administrator from bypassing these protections.
+
+-   **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](applocker-overview.md).
+
+The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings.
+
+**Note**  
+In this procedure, the workstations are dedicated to domain administrators. By simply modifying the administrator accounts to grant permission to administrators to sign in locally, you can create additional OUs to manage administrators that have fewer administrative rights to use the instructions described in the following procedure.
+
+**To install administrative workstations in a domain and block Internet and email access (minimum)**
+
+1.  As a domain administrator on a domain controller, open Active Directory Users and Computers, and create a new OU for administrative workstations.
+
+2.  Create computer accounts for the new workstations.
+
+    > **Note**&nbsp;&nbsp;You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](http://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx).
+
+    ![Active Directory local accounts](images/adlocalaccounts-proc1-sample1.gif)
+
+3.  Close Active Directory Users and Computers.
+
+4.  Start the **Group Policy Management** Console (GPMC).
+
+5.  Right-click the new OU, and &gt; **Create a GPO in this domain, and Link it here**.
+
+    ![Active Directory local accounts](images/adlocalaccounts-proc1-sample2.png)
+
+6.  Name the GPO, and &gt; **OK**.
+
+7.  Expand the GPO, right-click the new GPO, and &gt; **Edit**.
+
+    ![Active Directory local accounts](images/adlocalaccounts-proc1-sample3.png)
+
+8.  Configure which members of accounts can log on locally to these administrative workstations as follows:
+
+    1.  Navigate to Computer Configuration\\Policies\\Windows Settings\\Local Policies, and then click **User Rights Assignment**.
+
+    2.  Double-click **Allow log on locally**, and then select the **Define these policy settings** check box.
+
+    3.  Click **Add User or Group** &gt; **Browse**, type **Enterprise Admins**, and &gt; **OK**.
+
+    4.  Click **Add User or Group** &gt; **Browse**, type **Domain Admins**, and &gt; **OK**.
+
+        **Important**  
+        These instructions assume that the workstation is to be dedicated to domain administrators.
+
+         
+
+    5.  Click **Add User or Group**, type **Administrators**, and &gt; **OK**.
+
+        ![Active Directory local accounts](images/adlocalaccounts-proc1-sample4.png)
+
+9.  Configure the proxy configuration:
+
+    1.  Navigate to User Configuration\\Policies\\Windows Settings\\Internet Explorer, and &gt; **Connection**.
+
+    2.  Double-click **Proxy Settings**, select the **Enable proxy settings** check box, type **127.0.0.1** (the network Loopback IP address) as the proxy address, and &gt; **OK**.
+
+        ![Active Directory local accounts](images/adlocalaccounts-proc1-sample5.png)
+
+10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows:
+
+    1.  Navigate to Computer Configuration\\Policies\\Administrative Templates\\System, and &gt; **Group Policy**.
+
+    2.  Double-click **User Group Policy loopback policy processing mode**, and &gt; **Enabled**.
+
+    3.  Select **Merge Mode**, and &gt; **OK**.
+
+11. Configure software updates as follows:
+
+    1.  Navigate to Computer Configuration\\Policies\\Administrative Templates\\Windows Components, and then click **Windows Update**.
+
+    2.  Configure Windows Update settings as described in the following table.
+
+        <table>
+        <colgroup>
+        <col width="50%" />
+        <col width="50%" />
+        </colgroup>
+        <tbody>
+        <tr class="odd">
+        <td><p><strong>Windows Update Setting</strong></p></td>
+        <td><p><strong>Configuration</strong></p></td>
+        </tr>
+        <tr class="even">
+        <td><p>Allow Automatic Updates immediate installation</p></td>
+        <td><p>Enabled</p></td>
+        </tr>
+        <tr class="odd">
+        <td><p>Configure Automatic Updates</p></td>
+        <td><p>Enabled<br>4 - Auto download and schedule the installation<br>0 - Every day 03:00</p></td>
+        </tr>
+        <tr class="even">
+        <td><p>Enable Windows Update Power Management to automatically wake up the system to install scheduled updates</p></td>
+        <td><p>Enabled</p></td>
+        </tr>
+        <tr class="odd">
+        <td><p>Specify intranet Microsoft Update service location</p></td>
+        <td><p>Enabled http://&lt;WSUSServername&gt; http://&lt;WSUSServername&gt; Where &lt;WSUSServername&gt; is the DNS name or IP address of the Windows Server Update Services (WSUS) in the environment.</p></td>
+        </tr>
+        <tr class="even">
+        <td><p>Automatic Updates detection frequency</p></td>
+        <td><p>6 hours</p></td>
+        </tr>
+        <tr class="odd">
+        <td><p>Re-prompt for restart with scheduled installations</p></td>
+        <td><p>1 minute</p></td>
+        </tr>
+        <tr class="even">
+        <td><p>Delay restart for scheduled installations</p></td>
+        <td><p>5 minutes</p></td>
+        </tr>
+        </tbody>
+        </table>
+
+        > **Note**&nbsp;&nbsp;This step assumes that Windows Server Update Services (WSUS) is installed and configured in the environment. You can skip this step if you use another tool to deploy software updates. Also, if the public Microsoft Windows Update service only is used on the Internet, then these administrative workstations no longer receive updates.
+
+12. Configure the inbound firewall to block all connections as follows:
+
+    1.  Right-click **Windows Firewall with Advanced Security LDAP://path**, and &gt; **Properties**.
+
+        ![Active Directory local accounts](images/adlocalaccounts-proc1-sample6.png)
+
+    2.  On each profile, ensure that the firewall is enabled and that inbound connections are set to **Block all connections**.
+
+        ![Active Directory local accounts](images/adlocalaccounts-proc1-sample7.png)
+
+    3.  Click **OK** to complete the configuration.
+
+13. Close the Group Policy Management Console.
+
+14. Install the Windows operating system on the workstations, give each workstation the same names as the computer accounts assigned to them, and then join them to the domain.
+
+### <a href="" id="task3-restrict-admin-logon"></a>Restrict administrator logon access to servers and workstations
+
+It is a best practice to restrict administrators from using sensitive administrator accounts to sign in to lower-trust servers and workstations. This restriction prevents administrators from inadvertently increasing the risk of credential theft by signing in to a lower-trust computer.
+
+**Important**  
+Ensure that you either have local access to the domain controller or that you have built at least one dedicated administrative workstation.
+
+ 
+
+Restrict logon access to lower-trust servers and workstations by using the following guidelines:
+
+-   **Minimum**. Restrict domain administrators from having logon access to servers and workstations. Before starting this procedure, identify all OUs in the domain that contain workstations and servers. Any computers in OUs that are not identified will not restrict administrators with sensitive accounts from signing-in to them.
+
+-   **Better**. Restrict domain administrators from non-domain controller servers and workstations.
+
+-   **Ideal**. Restrict server administrators from signing in to workstations, in addition to domain administrators.
+
+**Note**  
+For this procedure, do not link accounts to the OU that contain workstations for administrators that perform administration duties only, and do not provide Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations)
+
+ 
+
+**To restrict domain administrators from workstations (minimum)**
+
+1.  As a domain administrator, open the Group Policy Management Console (GPMC).
+
+2.  Open **Group Policy Management**, and expand *&lt;forest&gt;*\\Domains\\*&lt;domain&gt;*, and then expand to **Group Policy Objects**.
+
+3.  Right-click **Group Policy Objects**, and &gt; **New**.
+
+    ![Active Directory local accounts](images/adlocalaccounts-proc2-sample1.png)
+
+4.  In the **New GPO** dialog box, name the GPO that restricts administrators from signing in to workstations, and &gt; **OK**.
+
+    ![Active Directory local accounts](images/adlocalaccounts-proc2-sample2.png)
+
+5.  Right-click **New GPO**, and &gt; **Edit**.
+
+6.  Configure user rights to deny logon locally for domain administrators.
+
+7.  Navigate to Computer Configuration\\Policies\\Windows Settings\\Local Policies, and then click **User Rights Assignment**, and perform the following:
+
+    1.  Double-click **Deny logon locally**, and &gt; **Define these policy settings**.
+
+    2.  Click **Add User or Group**, click **Browse**, type **Enterprise Admins**, and &gt; **OK**.
+
+    3.  Click **Add User or Group**, click **Browse**, type **Domain Admins**, and &gt; **OK**.
+
+        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample3.png)
+
+        **Note**  
+        You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
+
+         
+
+    4.  Click **OK** to complete the configuration.
+
+8.  Configure the user rights to deny batch and service logon rights for domain administrators as follows:
+
+    **Note**  
+    Completing this step might cause issues with administrator tasks that run as scheduled tasks or services with accounts in the Domain Admins group. The practice of using domain administrator accounts to run services and tasks on workstations creates a significant risk of credential theft attacks and therefore should be replaced with alternative means to run scheduled tasks or services.
+
+     
+
+    1.  Double-click **Deny logon as a batch job**, and &gt; **Define these policy settings**.
+
+    2.  Click **Add User or Group** &gt; **Browse**, type **Enterprise Admins**, and &gt; **OK**.
+
+    3.  Click **Add User or Group** &gt; **Browse**, type **Domain Admins**, and &gt; **OK**.
+
+        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample4.png)
+
+        **Note**  
+        You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
+
+         
+
+    4.  Double-click **Deny logon as a service**, and &gt; **Define these policy settings**.
+
+    5.  Click **Add User or Group** &gt; **Browse**, type **Enterprise Admins**, and &gt; **OK**.
+
+    6.  Click **Add User or Group** &gt; **Browse**, type **Domain Admins**, and &gt; **OK**.
+
+        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample5.png)
+
+        **Note**  
+        You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
+
+         
+
+9.  Link the GPO to the first Workstations OU.
+
+    Navigate to the *&lt;forest&gt;*\\Domains\\*&lt;domain&gt;*\\OU Path, and then:
+
+    1.  Right-click the workstation OU, and then &gt; **Link an Existing GPO**.
+
+        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample6.png)
+
+    2.  Select the GPO that you just created, and &gt; **OK**.
+
+        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample7.png)
+
+10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy.
+
+11. Link all other OUs that contain workstations.
+
+    However, do not create a link to the Administrative Workstation OU if it is created for administrative workstations that are dedicated to administration duties only, and that are without Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations).
+
+    **Important**  
+    If you later extend this solution, do not deny logon rights for the **Domain Users** group. The **Domain Users** group includes all user accounts in the domain, including Users, Domain Administrators, and Enterprise Administrators.
+
+     
+
+### <a href="" id="task4-disable-account-delegation"></a>Disable the account delegation right for sensitive administrator accounts
+
+Although user accounts are not marked for delegation by default, accounts in an Active Directory domain can be trusted for delegation. This means that a service or a computer that is trusted for delegation can impersonate an account that authenticates to them to access other resources across the network.
+
+For sensitive accounts, such as those belonging to members of the Administrators, Domain Admins, or Enterprise Admins groups in Active Directory, delegation can present a substantial risk of rights escalation. For example, if an account in the Domain Admins group is used to sign in to a compromised member server that is trusted for delegation, that server can request access to resources in the context of the Domain Admins account, and escalate the compromise of that member server to a domain compromise.
+
+It is a best practice to configure the user objects for all sensitive accounts in Active Directory by selecting the **Account is sensitive and cannot be delegated** check box under **Account options** to prevent these accounts from being delegated. For more information, see [Setting for default local accounts in Active Directory](#sec-account-settings).
+
+As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it.
+
+![Active Directory local accounts](images/adlocalaccounts-proc3-sample1.png)
+
+## <a href="" id="sec-secure-manage-dcs"></a>Secure and manage domain controllers
+
+
+It is a best practice to strictly enforce restrictions on the domain controllers in your environment. This ensures that the domain controllers:
+
+1.  Run only required software
+
+2.  Required software is regularly updated
+
+3.  Are configured with the appropriate security settings
+
+One aspect of securing and managing domain controllers is to ensure that the default local user accounts are fully protected. It is of primary importance to restrict and secure all sensitive domain accounts, as described in the preceding sections.
+
+Because domain controllers store credential password hashes of all accounts in the domain, they are high-value targets for malicious users. When domain controllers are not well managed and secured by using restrictions that are strictly enforced, they can be compromised by malicious users. For example, a malicious user could steal sensitive domain administrator credentials from one domain controller, and then use these credentials to attack the domain and forest.
+
+In addition, installed applications and management agents on domain controllers might provide a path for escalating rights that malicious users can use to compromise the management service or administrators of that service. The management tools and services, which your organization uses to manage domain controllers and their administrators, are equally important to the security of the domain controllers and the domain administrator accounts. Ensure that these services and administrators are fully secured with equal effort.
+
+## See also
+
+- [Security Principals](security-principals.md)
+
+- [Access Control Overview](access-control.md)

windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md

@@ -1,6 +1,6 @@
 ---
-title: Add multiple apps to your enterprise data protection (EDP) Protected Apps list (Windows 10)
-description: Add multiple apps to your enterprise data protection (EDP) Protected Apps list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker.
+title: Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality (Windows 10)
+description: Add multiple apps to your enterprise data protection (EDP) allowed app list at the same time, by using the Microsoft Intune Custom URI functionality and AppLocker.
 ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880
 keywords: EDP, Enterprise Data Protection, protected apps, protected app list
 ms.prod: w10
@@ -10,7 +10,7 @@ ms.sitesec: library
 author: eross-msft
 ---
 
-# Add multiple apps to your enterprise data protection (EDP) Protected Apps list
+# Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality
 **Applies to:**
 
 -   Windows 10 Insider Preview
@@ -18,7 +18,7 @@ author: eross-msft
 
 <span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
-Add multiple apps to your enterprise data protection (EDP) **Protected Apps** list at the same time, by using the Microsoft Intune Custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, see [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
+Add multiple apps to your enterprise data protection (EDP) allowed app list at the same time, by using the Microsoft Intune Custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, see [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
 
 **Important**  
 Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.

windows/keep-secure/change-history-for-keep-windows-10-secure.md

@@ -12,6 +12,13 @@ author: brianlic-msft
 # Change history for Keep Windows 10 secure
 This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+## July 2016
+
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New |
+
+
 ## June 2016
 
 |New or changed topic | Description |
@@ -19,6 +26,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. |
 | [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New |
 | [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics |
+| [Windows security baselines](windows-security-baselines.md) | New |
 
 ## May 2016
 

windows/keep-secure/create-edp-policy-using-intune.md

@@ -47,7 +47,6 @@ The steps to add your apps are based on the type of app it is; either a Universa
 
 >**Important**<br>EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.<p>
 
-
 >**Note**<br>If you want to use **File hash** or **Path** rules, instead of Publisher rules, you must follow the steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic.
 
 **To add a UWP app**
@@ -83,6 +82,7 @@ The steps to add your apps are based on the type of app it is; either a Universa
           "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
         }
        ```
+       
     ![Microsoft Intune: Add a UWP app to the Protected Apps list](images/intune-addapps.png)
 
     **To find the Publisher and Product name values for apps installed on Windows 10 Mobile phones**

windows/keep-secure/create-edp-policy-using-sccm.md

@@ -1,6 +1,6 @@
 ---
 title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10)
-description: Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+description: Configuration Manager (version 1606 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
 ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
 keywords: EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager
 ms.prod: w10
@@ -15,28 +15,14 @@ author: eross-msft
 
 -   Windows 10 Insider Preview
 -   Windows 10 Mobile Preview
--   System Center Configuration Manager (version 1511 or later)
+-   System Center Configuration Manager (version 1605 Tech Preview or later)
 
 <span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
 
-Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+System Center Configuration Manager (version 1605 Tech Preview or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection mode, and how to find enterprise data on the network.
 
-## In this topic:
--   [Add an EDP policy](#add-an-edp-policy)
-
--   [Choose which apps can access your enterprise data](#choose-which-apps-can-access-your-enterprise-data)
-
--   [Manage the EDP protection level for your enterprise data](#manage-the-edp-protection-level-for-your-enterprise-data)
-
--   [Define your enterprise-managed identity domains](#define-your-enterprise-managed-identity-domains)
-
--   [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data)
-
--   [Choose your optional EDP-related settings](#choose-your-optional-EDP-related-settings)
-
--   [Review your configuration choices in the Summary screen](#review-your-configuration-choices-in-the-summary-screen)
-
--   [Deploy the EDP policy](#deploy-the-edp-policy)
+>**Important**<br>
+If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1605 Tech Preview or later. Editing an EDP policy created in version 1511 or 1602 is not supported in version 1605 Tech Preview. There is no migration path between EDP policies across these versions.
 
 ## Add an EDP policy
 After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for EDP, which in turn becomes your EDP policy.
@@ -66,32 +52,55 @@ The **Create Configuration Item Wizard** starts.
 
     ![Create Configuration Item wizard, choose the supported platforms for the policy](images/edp-sccm-supportedplat.png)
 
-6.  On the **Device Settings** screen, click **Enterprise Data Protection**, and then click **Next**.
+6.  On the **Device Settings** screen, click **Enterprise data protection**, and then click **Next**.
 
     ![Create Configuration Item wizard, choose the enterprise data protection settings](images/edp-sccm-devicesettings.png)
 
-The **Configure Enterprise Data Protection settings** page appears, where you'll configure your policy for your organization.
+The **Configure enterprise data protection settings** page appears, where you'll configure your policy for your organization.
 
-## Choose which apps can access your enterprise data
-During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps or unprotected network locations.
+### Add app rules to your policy
+During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
 
-The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Classic Windows application.
+The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file.
 
-**Important**<br>EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data leaks during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
+>**Important**<br>
+EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. <p>Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
 
-**To add a UWP app**
+#### Add a store app rule to your policy
+For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
 
-1.  From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
+**To add a store app**
 
-2.  Click **Universal App**, type the **Publisher Name** and the **Product Name** into the associated boxes, and then click **OK**. If you don't have the publisher or product name, you can find them by following these steps.
+1.	From the **App rules** area, click **Add**.
     
-    **To find the Publisher and Product name values for Microsoft Store apps without installing them**
+    The **Add app rule** box appears.
+
+    ![Create Configuration Item wizard, add a universal store app](images/edp-sccm-adduniversalapp.png)
+
+2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
+
+3.	Click **Allow** from the **Enterprise data protection mode** drop-down list.
+
+    Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
+
+4.	Pick **Store App** from the **Rule template** drop-down list.
+
+    The box changes to show the store app rule options.
+
+5.	Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
+
+If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
+
+**To find the Publisher and Product Name values for Store apps without installing them**
 
 1.	Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
 
+    >**Note**<br>
+    If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
+
 2.	Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
 
-    3.  In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/*9wzdncrfhvjl*/applockerdata, where *9wzdncrfhvjl* is replaced with your ID value.
+3.	In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
 
     The API runs and opens a text editor with the app details.
 
@@ -102,24 +111,65 @@ The steps to add your apps are based on the type of app it is; either a Universa
         }
     ```
 
-    4.  Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of the **Add app** box, and then click **OK**.
-    <p>**Important**<br>If you don’t see the **Product Name** box, it could mean that your tenant is not on the latest build and that you need to wait until it's upgraded. Same applies if you see the **AppId** box. The **AppId** box has been removed in the latest build and should disappear (along with any entries) when your tenant is upgraded.
-    <p>**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<br>    
+4.  Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
 
-        ```
+    >**Important**<br>
+    The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:
+       ```json
         {
             "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
         }
         ```
 
-        ![Create Configuration Item wizard, add a Universal Windows Platform (UWP) app](images/edp-sccm-adduniversalapp.png)
+**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
+1.	If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
 
-**To add a Classic Windows application**
+    >**Note**<br>
+    Your PC and phone must be on the same wireless network.
 
-1.  From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
-<p>A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
+2.	On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
 
-2.  Click **Desktop App**, pick the options you want (see table), and then click **OK**.
+3.	On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
+
+4.	Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
+
+5.	In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
+
+6.	On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
+
+7.	Start the app for which you're looking for the publisher and product name values.
+
+8.	Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
+
+    >**Important**<br>
+    The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:
+       ```json
+        {
+            "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+        }
+        ```
+
+#### Add a desktop app rule to your policy
+For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
+
+**To add a desktop app to your policy**
+1.	From the **App rules** area, click **Add**.
+    
+    The **Add app rule** box appears.
+
+    ![Create Configuration Item wizard, add a classic desktop app](images/edp-sccm-adddesktopapp.png)
+
+2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
+
+3.	Click **Allow** from the **Enterprise data protection mode** drop-down list.
+
+    Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
+
+4.	Pick **Desktop App** from the **Rule template** drop-down list.
+
+    The box changes to show the desktop app rule options.
+
+5.	Pick the options you want to include for the app rule (see table), and then click **OK**.
 
     <table>
         <tr>
@@ -139,21 +189,21 @@ The steps to add your apps are based on the type of app it is; either a Universa
             <td>All files for the specified product, signed by the named publisher.</td>
         </tr>
         <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>File Name</strong> selected</td>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>Binary name</strong> selected</td>
             <td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
         </tr>
         <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, Exactly</strong>, selected</td>
-            <td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
-        </tr>
-        <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And above</strong> selected</td>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, and above</strong>, selected</td>
             <td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
         </tr>
         <tr>
-            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And below</strong> selected</td>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, And below</strong> selected</td>
             <td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
         </tr>
+        <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, Exactly</strong> selected</td>
+            <td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
+        </tr>
     </table>
 
 If you’re unsure about what to include for the publisher, you can run this PowerShell command:
@@ -172,43 +222,166 @@ Path                   Publisher
 ```
 Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
 
-![Create Configuration Item wizard, add a Classic Windows app](images/edp-sccm-adddesktopapp.png)
+#### Add an AppLocker policy file
+For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview) content.
 
-## Manage the EDP-protection level for your enterprise data
-After you've added the apps you want to protect with EDP, you'll need to apply an app management mode.
+**To create an app rule and xml file using the AppLocker tool**
+1.	Open the Local Security Policy snap-in (SecPol.msc).
     
-We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
+2.	In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
+
+    ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png)
+
+3.	Right-click in the right-hand pane, and then click **Create New Rule**.
+
+    The **Create Packaged app Rules** wizard appears.
+
+4. On the **Before You Begin** page, click **Next**.
+
+    ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png)
+
+5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
+
+    ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png)
+
+6.	On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
+
+    ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png)
+
+7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos.
+
+    ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png)
+
+8. On the updated **Publisher** page, click **Create**.
+
+    ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png)
+
+9. Review the Local Security Policy snap-in to make sure your rule is correct.
+
+    ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png)
+
+10.	In the left pane, right-click on **AppLocker**, and then click **Export policy**.
+
+    The **Export policy** box opens, letting you export and save your new policy as XML.
+
+    ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png)
+
+11.	In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
+
+    The policy is saved and you’ll see a message that says 1 rule was exported from the policy.
+
+    **Example XML file**<br>
+    This is the XML file that AppLocker creates for Microsoft Photos.
+
+    ```xml
+     <AppLockerPolicy Version="1">
+        <RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
+        <RuleCollection Type ="Msi" EnforcementMode="NotConfigured" />
+        <RuleCollection Type ="Script" EnforcementMode="NotConfigured" />
+        <RuleCollection Type ="Dll" EnforcementMode="NotConfigured" />
+        <RuleCollection Type ="Appx" EnforcementMode="NotConfigured">
+            <FilePublisherRule Id="5e0c752b-5921-4f72-8146-80ad5f582110" Name="Microsoft.Windows.Photos, version 16.526.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
+                <Conditions>
+                    <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*">
+                        <BinaryVersionRange LowSection="16.526.0.0" HighSection="*" />
+                    </FilePublisherCondition>
+                </Conditions>
+            </FilePublisherRule>
+        </RuleCollection>
+	</AppLockerPolicy>
+    ```
+12. After you’ve created your XML file, you need to import it by using System Center Configuration Manager.
+
+**To import your Applocker policy file app rule using 1System Center Configuration Manager**
+1.	From the **App rules** area, click **Add**.
+    
+    The **Add app rule** box appears.
+
+    ![Create Configuration Item wizard, add an AppLocker policy](images/edp-sccm-addapplockerfile.png)
+
+2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*.
+
+3.	Click **Allow** from the **Enterprise data protection mode** drop-down list.
+
+    Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
+
+4.	Pick the **AppLocker policy file** from the **Rule template** drop-down list.
+
+    The box changes to let you import your AppLocker XML policy file.
+
+5. Click the ellipsis (...) to browse for your AppLocker XML file, click **Open**, and then click **OK** to close the **Add app rule** box.
+
+    The file is imported and the apps are added to your **App Rules** list.
+
+#### Exempt apps from EDP restrictions
+If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
+
+**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
+
+1.	From the **App rules** area, click **Add**.
+    
+    The **Add app rule** box appears.
+
+2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*.
+
+3.	Click **Exempt** from the **Enterprise data protection mode** drop-down list.
+
+    Be aware that when you exempt apps, they’re allowed to bypass the EDP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
+
+4.	Fill out the rest of the app rule info, based on the type of rule you’re adding:
+
+    - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
+
+    - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic.
+
+    - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps.
+
+5.	Click **OK**.
+
+### Manage the EDP-protection level for your enterprise data
+After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode.
+
+We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
 
 |Mode |Description |
 |-----|------------|
 |Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
 |Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
-|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything. |
-|Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data.
-<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
+|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.|
+|Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data.<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.|
 
 ![Create Configuration Item wizard, choose your EDP-protection level](images/edp-sccm-appmgmt.png)
 
-## Define your enterprise-managed identity domains
-Specify your company’s enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list.
+### Define your enterprise-managed identity domains
+Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by EDP. For example, emails using contoso.com are identified as being corporate and are restricted by your enterprise data protection policies.
 
-You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com.
+You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
 
-This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed.
+**To add your corporate identity**
 
-![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/sccm-primary-domain.png)
+- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
 
-**To add your primary domain**
+    ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/edp-sccm-corp-identity.png)
 
--   Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.<p>
-If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com.
+### Choose where apps can access enterprise data
+After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
 
-## Choose where apps can access enterprise data
-After you've added a management level to your protected apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
+There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
 
-**To specify where your protected apps can find and send enterprise data on the network**
+>**Important**<br>
+- Every EDP policy should include policy that defines your enterprise network locations.
+- Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations.
+
+**To define where your protected apps can find and send enterprise data on you network**
+
+1. Add additional network locations your apps can access by clicking **Add**.
+
+    The **Add or edit corporate network definition** box appears.
+
+2.	Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
+
+    ![Add or edit corporate network definition box, Add your enterprise network locations](images/edp-sccm-add-network-domain.png)
 
-1.  Add additional network locations your apps can access by clicking **Add**, and then choosing your location type, including:
     <table>
         <tr>
             <th>Network location type</th>
@@ -216,65 +389,145 @@ After you've added a management level to your protected apps, you'll need to dec
             <th>Description</th>
         </tr>
         <tr>
-            <td>Enterprise Cloud Domain</td>
-            <td>contoso.sharepoint.com,proxy1.contoso.com|<br>office.com|proxy2.contoso.com</td>
-            <td>Specify the cloud resources traffic to restrict to your protected apps.<p>For each cloud resource, you may also specify an internal proxy server that routes your traffic from your **Enterprise Internal Proxy Server** policy. If you have multiple resources, you must use the &#x7C; delimiter. Include the "|" delimiter just before the "|" if you don’t use proxies. For example: [URL,Proxy]|[URL,Proxy].</td>     
+            <td>Enterprise Cloud Resources</td>
+            <td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
+            <td>Specify the cloud resources to be treated as corporate and protected by EDP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
         </tr>
         <tr>
-            <td>Enterprise Network Domain</td>
-            <td>domain1.contoso.com,domain2.contoso.com</td>
-            <td>Specify the DNS suffix used in your environment. All traffic to the fully-qualified domains using this DNS suffix will be protected. If you have multiple resources, you must use the "," delimiter.<p>This setting works with the IP Ranges settings to detect whether a network endpoint is enterprise or personal on private networks.</td>                
+            <td>Enterprise Network Domain Names (Required)</td>
+            <td>corp.contoso.com,region.contoso.com</td>
+            <td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>                
         </tr>
         <tr>
-            <td>Enterprise Proxy Server</td>
-            <td>domain1.contoso.com:80;domain2.contoso.com:137</td>
-            <td>Specify the proxy server and the port traffic is routed through. If you have multiple resources, you must use the ";" delimiter.<p>This setting is required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when using certain Wi-Fi hotspots at hotels and restaurants.</td>                
+            <td>Enterprise Proxy Servers</td>
+            <td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
+            <td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP.<p>This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
         </tr>
         <tr>
-            <td>Enterprise Internal Proxy Server</td>
-            <td>proxy1.contoso.com;proxy2.contoso.com</td>
-            <td>Specify the proxy servers your cloud resources will go through. If you have multiple resources, you must use the ";" delimiter.</td>                
+            <td>Enterprise Internal Proxy Servers</td>
+            <td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
+            <td>Specify the proxy servers your devices will go through to reach your cloud resources.<p>Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.<p>This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>                
         </tr>
         <tr>
-            <td>Enterprise IPv4 Range</td>
-            <td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254</td>
-            <td>Specify the addresses for a valid IPv4 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management system’s UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges.</td>
+            <td>Enterprise IPv4 Range (Required)</td>
+            <td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
+            <td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
         </tr>
         <tr>
             <td>Enterprise IPv6 Range</td>
-            <td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
-            <td>Specify the addresses for a valid IPv6 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management system’s UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges.</td>
+            <td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
+            <td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
+        </tr>
+        <tr>
+            <td>Neutral Resources</td>
+            <td>sts.contoso.com,sts.contoso2.com</td>
+            <td>Specify your authentication redirection endpoints for your company.<p>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
         </tr>           
     </table>
 
-    ![Create Configuration Item wizard, specify the network locations that can be accessed by the protected apps](images/edp-sccm-primarydomain2.png)
+3.	Add as many locations as you need, and then click **OK**.
 
-2.  Add as many locations as you need, and then click **OK**.<p>
-The **Add or Edit Enterprise Network Locations box** closes.
+    The **Add or edit corporate network definition** box closes.
 
-3.  In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.<p>
-Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the[Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
+4.	Decide if you want to Windows to look for additional network settings.
 
-## Choose your optional EDP-related settings
+    ![Create Configuration Item wizard, Add whether to search for additional network settings](images/edp-sccm-optsettings.png)
+
+        - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
+
+        - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
+
+        - **Show the enterprise data protection icon overlay on your allowed apps that are EDP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the enterprise data protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
+
+5.	In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+
+    After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. 
+    
+    For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
+
+    ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/edp-sccm-dra.png)
+
+#### Create and verify an Encrypting File System (EFS) DRA certificate for EDP
+If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
+
+>**Important**<br>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy.
+
+**To manually create an EFS DRA certificate**
+1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
+2. Run this command:
+    
+    `cipher /r:<EFSDRA>`<br>Where `<EFSDRA>` is the name of the .cer and .pfx files that you want to create.
+
+3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
+
+    The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. 
+
+    **Important**<br>Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location.
+
+4.	Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic.
+
+**To verify your data recovery certificate is correctly set up on an EDP client computer**
+1.	Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP.
+
+2.	Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
+
+    `cipher /c <filename>`<br>Where `<filename>` is the name of the file you created in Step 1.
+
+3.	Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
+
+**To recover your data using the EFS DRA certificate in a test environment**
+1.	Copy your EDP-encrypted file to a location where you have admin access.
+
+2.	Install the EFSDRA.pfx file, using your password.
+
+3.	Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
+
+    `cipher /d <encryptedfile.extension>`<br>Where `<encryptedfile.extension>` is the name of your encrypted file. For example, corporatedata.docx.
+
+### Choose your optional EDP-related settings
 After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings.
 
-**To add your optional settings**
--   Choose to set any or all of the optional EDP-related settings:
+![Create Configuration Item wizard, Choose any additional, optional settings](images/edp-sccm-additionalsettings.png)
 
-    -   **Block the user from decrypting data that was created or edited by the apps configured above.** Clicking **No**, or leaving the setting blank, lets your employees right-click to decrypt their protected app data, along with the option to decrypt data in the **Save As** box and the **Save As** file picker . Clicking **Yes** removes the **Decrypt** option and saves all data for protected apps as enterprise-encrypted.
+**To set your optional settings**
+1.	Choose to set any or all of the optional settings:
 
-    -   **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone.
+    - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
     
-        ![Create Configuration Item wizard, choose additional optional settings for enterprise data protection](images/edp-sccm-optsettings.png)
+        - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. 
 	
-## Review your configuration choices in the Summary screen
+        - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
+
+    - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether apps can show corporate data on a Windows 10 Mobile device **Lock** screen. The options are:
+	
+        - **Yes (recommended).** Stop apps from reading corporate data on Windows 10 Mobile device when the screen is locked.
+	
+        - **No, or not configured.**  Allows apps to read corporate data on Windows 10 Mobile device when the screen is locked.
+
+    - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
+
+	    - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
+
+	    - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
+
+    - **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from enterprise data protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+
+        - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
+        
+        - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
+
+2. After you pick all of the settings you want to include, click **Summary**.
+
+### Review your configuration choices in the Summary screen
 After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
 
 **To view the Summary screen**
--   Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.<p>
+- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
+
+    ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/edp-sccm-summaryscreen.png)
+ 
     A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
 
-    ![Create Configuration Item wizard, review the Summary screen before creating the policy](images/edp-sccm-summaryscreen.png)
 
 ## Deploy the EDP policy
 After you’ve created your EDP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
@@ -283,15 +536,6 @@ After you’ve created your EDP policy, you'll need to deploy it to your organiz
 - [How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226)
 
 ## Related topics
-- [System Center Configuration Manager and Endpoint Protection (Version 1511)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
+- [System Center Configuration Manager and Endpoint Protection (Version 1606)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
 - [TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623)
 - [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)
-
- 
-
- 
-
-
-
-
-

windows/keep-secure/device-guard-deployment-guide.md

@@ -57,7 +57,7 @@ AppLocker and Device Guard should run side-by-side in your organization, which o
 
 **Device Guard with Credential Guard**
 
-Although Credential Guard is not a feature within Device Guard, many organizations will likely deploy Credential Guard alongside Device Guard for additional protection against credential theft. Similar to virtualization-based protection of kernel mode code integrity, Credential Guard leverages hypervisor technology to protect domain credentials. This mitigation is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. For information about how to deploy Credential Guard to your Windows 10 Enterprise clients, see the [Enable Credential Guard](#enable-cg) section. In addition to the client-side enablement of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. Microsoft will be releasing details about these additional mitigations in the future.
+Although Credential Guard is not a feature within Device Guard, many organizations will likely deploy Credential Guard alongside Device Guard for additional protection against credential theft. Similar to virtualization-based protection of kernel mode code integrity, Credential Guard leverages hypervisor technology to protect domain credentials. This mitigation is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. For information about how to deploy Credential Guard to your Windows 10 Enterprise clients, see the [Enable Credential Guard](#enable-cg) section. In addition to the client-side enablement of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. Refer to the [Credential Guard](credential-guard.md) documentation for guidance on these additional mitigations.
 
 **Unified manageability**
 
@@ -752,7 +752,7 @@ To modify the policy rule options of an existing code integrity policy, use the
 
 You can set several rule options within a code integrity policy. Table 2 lists each rule and its high-level meaning.
 
-Table 2. Code integrity policy - policy rule options
+#### Table 2. Code integrity policy - policy rule options
 
 | Rule option | Description |
 |------------ | ----------- |
@@ -769,15 +769,15 @@ Table 2. Code integrity policy - policy rule options
 | **10 Enabled:Boot Audit on Failure** | Used when the code integrity policy is in enforcement mode. When a driver fails during startup, the code integrity policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
 File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as low as the hash of each binary and as high as a PCA certificate. File rule levels are specified both when you create a new code integrity policy from a scan and when you create a policy from audit events. In addition, to combine rule levels found in multiple policies, you can merge the policies. When merged, code integrity policies combine their file rules. Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Device Guard deployment scenario.
 
-Table 3. Code integrity policy - file rule levels
+#### Table 3. Code integrity policy - file rule levels
 
 | Rule level | Description |
 |----------- | ----------- |
 | **Hash** | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
 | **FileName** | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified. |
-| **SignedVersion** | This combines the publisher rule with a file version number. This option allows anything from the specified publisher, with a file version at or above the specified version number, to run. |
+| **SignedVersion** | This combines the publisher rule with a version number. This option allows anything from the specified publisher, with a version at or above the specified version number, to run. |
 | **Publisher** | This is a combination of the PCA certificate and the common name (CN) on the leaf certificate. In the scenario that a PCA certificate is used to sign multiple companies’ applications (such as VeriSign), this rule level allows organizations to trust the PCA certificate but only for the company whose name is on the leaf certificate (for example, Intel for device drivers). This level trusts a certificate with a long validity period but only when combined with a trusted leaf certificate. |
-| **FilePublisher** | This is a combination of the publisher file rule level and the SignedVersion rule level. Any signed file from the trusted publisher that is the specified version or newer is trusted. |
+| **FilePublisher** | This is a combination of “FileName” plus “Publisher” (PCA certificate with CN of leaf) plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
 | **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than PCA certificates, so additional administrative overhead is associated with updating the code integrity policy when these certificates expire. |
 | **PcaCertificate** | Adds the highest certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, because the scan does not validate anything above the presented signature by going online or checking local root stores. |
 | **RootCertificate** | Currently unsupported. |

windows/keep-secure/dynamic-access-control.md

@@ -0,0 +1,139 @@
+---
+title: Dynamic Access Control Overview (Windows 10)
+description: Dynamic Access Control Overview
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Dynamic Access Control Overview
+
+**Applies to**
+-   Windows Server 2016
+
+This overview topic for the IT professional describes Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
+
+Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources.
+
+For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS).
+
+Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes.
+
+Features and concepts associated with Dynamic Access Control include:
+
+-   [Central access rules](#bkmk-rules)
+
+-   [Central access policies](#bkmk-policies)
+
+-   [Claims](#bkmk-claims)
+
+-   [Expressions](#bkmk-expressions2)
+
+-   [Proposed permissions](#bkmk-permissions2)
+
+### <a href="" id="bkmk-rules"></a>Central access rules
+
+A central access rule is an expression of authorization rules that can include one or more conditions involving user groups, user claims, device claims, and resource properties. Multiple central access rules can be combined into a central access policy.
+
+If one or more central access rules have been defined for a domain, file share administrators can match specific rules to specific resources and business requirements.
+
+### <a href="" id="bkmk-policies"></a>Central access policies
+
+Central access policies are authorization policies that include conditional expressions. For example, let’s say an organization has a business requirement to restrict access to personally identifiable information (PII) in files to only the file owner and members of the human resources (HR) department who are allowed to view PII information. This represents an organization-wide policy that applies to PII files wherever they are located on file servers across the organization. To implement this policy, an organization needs to be able to:
+
+-   Identify and mark the files that contain the PII.
+
+-   Identify the group of HR members who are allowed to view the PII information.
+
+-   Add the central access policy to a central access rule, and apply the central access rule to all files that contain the PII, wherever they are located amongst the file servers across the organization.
+
+Central access policies act as security umbrellas that an organization applies across its servers. These policies are in addition to (but do not replace) the local access policies or discretionary access control lists (DACLs) that are applied to files and folders.
+
+### <a href="" id="bkmk-claims"></a>Claims
+
+A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. The user’s title, the department classification of a file, or the health state of a computer are valid examples of a claim. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. The following types of claims are available in the supported versions of Windows:
+
+-   **User claims**   Active Directory attributes that are associated with a specific user.
+
+-   **Device claims**   Active Directory attributes that are associated with a specific computer object.
+
+-   **Resource attributes**  Global resource properties that are marked for use in authorization decisions and published in Active Directory.
+
+Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies.
+
+### <a href="" id="bkmk-expressions2"></a>Expressions
+
+Conditional expressions are an enhancement to access control management that allow or deny access to resources only when certain conditions are met, for example, group membership, location, or the security state of the device. Expressions are managed through the Advanced Security Settings dialog box of the ACL Editor or the Central Access Rule Editor in the Active Directory Administrative Center (ADAC).
+
+Expressions help administrators manage access to sensitive resources with flexible conditions in increasingly complex business environments.
+
+### <a href="" id="bkmk-permissions2"></a>Proposed permissions
+
+Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changing them.
+
+Predicting the effective access to a resource helps you plan and configure permissions for those resources before implementing those changes.
+
+## Additional changes
+
+
+Additional enhancements in the supported versions of Windows that support Dynamic Access Control include:
+
+### Support in the Kerberos authentication protocol to reliably provide user claims, device claims, and device groups.
+
+By default, devices running any of the supported versions of Windows are able to process Dynamic Access Control-related Kerberos tickets, which include data needed for compound authentication. Domain controllers are able to issue and respond to Kerberos tickets with compound authentication-related information. When a domain is configured to recognize Dynamic Access Control, devices receive claims from domain controllers during initial authentication, and they receive compound authentication tickets when submitting service ticket requests. Compound authentication results in an access token that includes the identity of the user and the device on the resources that recognize Dynamic Access Control.
+
+### Support for using the Key Distribution Center (KDC) Group Policy setting to enable Dynamic Access Control for a domain.
+
+Every domain controller needs to have the same Administrative Template policy setting, which is located at **Computer Configuration\\Policies\\Administrative Templates\\System\\KDC\\Support Dynamic Access Control and Kerberos armoring**.
+
+### Support for using the Key Distribution Center (KDC) Group Policy setting to enable Dynamic Access Control for a domain.
+
+Every domain controller needs to have the same Administrative Template policy setting, which is located at **Computer Configuration\\Policies\\Administrative Templates\\System\\KDC\\Support Dynamic Access Control and Kerberos armoring**.
+
+### Support in Active Directory to store user and device claims, resource properties, and central access policy objects.
+
+### Support for using Group Policy to deploy central access policy objects.
+
+The following Group Policy setting enables you to deploy central access policy objects to file servers in your organization: **Computer Configuration\\Policies\\ Windows Settings\\Security Settings\\File System\\Central Access Policy**.
+
+### Support for claims-based file authorization and auditing for file systems by using Group Policy and Global Object Access Auditing
+
+You must enable staged central access policy auditing to audit the effective access of central access policy by using proposed permissions. You configure this setting for the computer under **Advanced Audit Policy Configuration** in the **Security Settings** of a Group Policy Object (GPO). After you configure the security setting in the GPO, you can deploy the GPO to computers in your network.
+
+### Support for transforming or filtering claim policy objects that traverse Active Directory forest trusts
+
+You can filter or transform incoming and outgoing claims that traverse a forest trust. There are three basic scenarios for filtering and transforming claims:
+
+-   **Value-based filtering**  Filters can be based on the value of a claim. This allows the trusted forest to prevent claims with certain values from being sent to the trusting forest. Domain controllers in trusting forests can use value-based filtering to guard against an elevation-of-privilege attack by filtering the incoming claims with specific values from the trusted forest.
+
+-   **Claim type-based filtering**  Filters are based on the type of claim, rather than the value of the claim. You identify the claim type by the name of the claim. You use claim type-based filtering in the trusted forest, and it prevents Windows from sending claims that disclose information to the trusting forest.
+
+-   **Claim type-based transformation**  Manipulates a claim before sending it to the intended target. You use claim type-based transformation in the trusted forest to generalize a known claim that contains specific information. You can use transformations to generalize the claim-type, the claim value, or both.
+
+## <a href="" id="software-requirements-"></a>Software requirements
+
+
+Because claims and compound authentication for Dynamic Access Control require Kerberos authentication extensions, any domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows to support authentication from Dynamic Access Control-aware Kerberos clients. By default, devices must use domain controllers in other sites. If no such domain controllers are available, authentication will fail. Therefore, you must support one of the following conditions:
+
+-   Every domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows Server to support authentication from all devices running the supported versions of Windows or Windows Server.
+
+-   Devices running the supported versions of Windows or that do not protect resources by using claims or compound identity, should disable Kerberos protocol support for Dynamic Access Control.
+
+For domains that support user claims, every domain controller running the supported versions of Windows server must be configured with the appropriate setting to support claims and compound authentication, and to provide Kerberos armoring. Configure settings in the KDC Administrative Template policy as follows:
+
+-   **Always provide claims**   Use this setting if all domain controllers are running the supported versions of Windows Server. In addition, set the domain functional level to Windows Server 2012 or higher.
+
+-   **Supported**   When you use this setting, monitor domain controllers to ensure that the number of domain controllers running the supported versions of Windows Server is sufficient for the number of client computers that need to access resources protected by Dynamic Access Control.
+
+If the user domain and file server domain are in different forests, all domain controllers in the file server’s forest root must be set at the Windows Server 2012 or higher functional level.
+
+If clients do not recognize Dynamic Access Control, there must be a two-way trust relationship between the two forests.
+
+If claims are transformed when they leave a forest, all domain controllers in the user’s forest root must be set at the Windows Server 2012 or higher functional level.
+
+A file server running a server operating system that supports Dyamic Access Control must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server.
+
+## See also
+
+- [Access control overview](access-control.md)

windows/keep-secure/event-1102.md

@@ -70,7 +70,7 @@ This event generates every time Windows Security audit log was cleared.
 
 -   **Security ID** \[Type = SID\]**:** SID of account that cleared the system security audit log. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
 
-> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
 
 -   **Account Name** \[Type = UnicodeString\]**:** the name of the account that cleared the system security audit log.
 

windows/keep-secure/event-4611.md

@@ -75,7 +75,7 @@ You typically see these events during operating system startup or user logon and
 
 -   **Security ID** \[Type = SID\]**:** SID of account that registered the trusted logon process. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
 
-> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
 
 -   **Account Name** \[Type = UnicodeString\]**:** the name of the account that registered the trusted logon process.
 

windows/keep-secure/event-4616.md

@@ -82,7 +82,7 @@ You will typically see these events with “**Subject\\Security ID**” = “**L
 
 -   **Security ID** \[Type = SID\]**:** SID of account that requested the “change system time” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
 
-> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
 
 -   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change system time” operation.
 

windows/keep-secure/event-4624.md

@@ -115,7 +115,7 @@ This event generates when a logon session is created (on destination machine). I
 
 -   **Security ID** \[Type = SID\]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
 
-> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
 
 -   **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about successful logon.
 
@@ -175,7 +175,7 @@ This event generates when a logon session is created (on destination machine). I
 
 -   **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
 
-> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
 
 -   **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
 

windows/keep-secure/event-4625.md

@@ -89,7 +89,7 @@ This event generates on domain controllers, member servers, and workstations.
 
 -   **Security ID** \[Type = SID\]**:** SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
 
-> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
 
 -   **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.
 
@@ -125,7 +125,7 @@ This event generates on domain controllers, member servers, and workstations.
 
 -   **Security ID** \[Type = SID\]**:** SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
 
-> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
 
 -   **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt.