diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 853813a012..571a848679 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -103,7 +103,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
- Your tenant users must have Exchange mailboxes.
- - Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
+ - Your device account needs a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
@@ -139,7 +139,8 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
- In the **Assign licenses** section, you need to select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and what you've decided in terms of needing Enterprise Voice. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub.
- Click **Save** and you're done.
->**Note**: It's also possible to use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
+>[!NOTE]
+>It's also possible to use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account.
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index b5e25471d4..5b6d36d46b 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -25,17 +25,10 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
- Cortana is turned off.
-<<<<<<< HEAD
-> **Tip!**
-> To exit **Take a Test**, press Ctrl+Alt+Delete.
-
-
-
-=======
> [!TIP]
> To exit **Take a Test**, press Ctrl+Alt+Delete.
->>>>>>> f50c53382577edc4df9f4e8c3f911e5a8da4bc83
+
## How you use Take a Test
diff --git a/windows/keep-secure/images/atp-disableantispyware-regkey.png b/windows/keep-secure/images/atp-disableantispyware-regkey.png
new file mode 100644
index 0000000000..ae3d800c69
Binary files /dev/null and b/windows/keep-secure/images/atp-disableantispyware-regkey.png differ
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index 0fd2edc0d3..a3358422cb 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -113,4 +113,4 @@ When Windows Defender is not the active antimalware in your organization and you
## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
-If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information on how to validate and enable the Windows Defender ELAM driver see, [Ensure the Windows Defender ELAM driver is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-windows-defender-elam-driver-is-enabled).
+If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy).
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index e3c1d51f68..1cb5843937 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -65,7 +65,7 @@ Event ID | Error Type | Resolution steps
5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```. Verify that the script was ran as an administrator.
15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
-15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions.
+15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure that Windows Defender is not disabled by a policy](#ensure-that-windows-defender-is-not-disabled-by-a-policy) for instructions.
30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```. The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
@@ -124,7 +124,7 @@ If the deployment tools used does not indicate an error in the onboarding proces
- [Ensure the telemetry and diagnostics service is enabled](#ensure-the-telemetry-and-diagnostics-service-is-enabled)
- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
- [Ensure the endpoint has an Internet connection](#ensure-the-endpoint-has-an-internet-connection)
-- [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled)
+- [Ensure that Windows Defender is not disabled by a policy](#ensure-that-windows-defender-is-not-disabled-by-a-policy)
### View agent onboarding errors in the endpoint event log
@@ -222,98 +222,31 @@ To ensure that sensor has service connectivity, follow the steps described in th
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.
-### Ensure the Windows Defender ELAM driver is enabled
-If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled.
+### Ensure that Windows Defender is not disabled by a policy
+**Problem**: The Windows Defender ATP service does not start after onboarding.
-**Check the ELAM driver status:**
+**Symptom**: Onboarding successfully completes, but you see error 577 when trying to start the service.
-1. Open a command-line prompt on the endpoint:
+**Solution**: If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
- a. Click **Start**, type **cmd**, and select **Command prompt**.
+- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are set to ```0``` or that the settings are cleared:
-2. Enter the following command, and press Enter:
- ```
- sc qc WdBoot
- ```
- If the ELAM driver is enabled, the output will be:
+ - ```DisableAntiSpyware```
+ - ```DisableAntiVirus```
- ```
- [SC] QueryServiceConfig SUCCESS
+ For example, in Group Policy:
- SERVICE_NAME: WdBoot
- TYPE : 1 KERNEL_DRIVER
- START_TYPE : 0 BOOT_START
- ERROR_CONTROL : 1 NORMAL
- BINARY_PATH_NAME : \SystemRoot\system32\drivers\WdBoot.sys
- LOAD_ORDER_GROUP : Early-Launch
- TAG : 0
- DISPLAY_NAME : Windows Defender Boot Driver
- DEPENDENCIES :
- SERVICE_START_NAME :
- ```
- If the ELAM driver is disabled the output will be:
- ```
- [SC] QueryServiceConfig SUCCESS
+ ```
+ ```
+- After clearing the policy, run the onboarding steps again on the endpoint.
- SERVICE_NAME: WdBoot
- TYPE : 1 KERNEL_DRIVER
- START_TYPE : 0 DEMAND_START
- ERROR_CONTROL : 1 NORMAL
- BINARY_PATH_NAME : \SystemRoot\system32\drivers\WdBoot.sys
- LOAD_ORDER_GROUP : _Early-Launch
- TAG : 0
- DISPLAY_NAME : Windows Defender Boot Driver
- DEPENDENCIES :
- SERVICE_START_NAME :
- ```
+- You can also check the following registry key values to verify that the policy is disabled:
-#### Enable the ELAM driver
+ 1. Open the registry ```key HKEY_LOCAL_MACHINE\ SOFTWARE\Policies\Microsoft\Windows Defender```.
+ 2. Find the value ```DisableAntiSpyware```.
+ 3. Ensure that the value is set to 0.
-1. Open an elevated PowerShell console on the endpoint:
-
- a. Click **Start**, type **powershell**.
-
- b. Right-click **Command prompt** and select **Run as administrator**.
-
-2. Run the following PowerShell cmdlet:
-
- ```text
- 'Set-ExecutionPolicy -ExecutionPolicy Bypass’
- ```
-3. Run the following PowerShell script:
-
- ```text
- Add-Type @'
- using System;
- using System.IO;
- using System.Runtime.InteropServices;
- using Microsoft.Win32.SafeHandles;
- using System.ComponentModel;
-
- public static class Elam{
- [DllImport("Kernel32", CharSet=CharSet.Auto, SetLastError=true)]
- public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);
-
- public static void InstallWdBoot(string path)
- {
- Console.Out.WriteLine("About to call create file on {0}", path);
- var stream = File.Open(path, FileMode.Open, FileAccess.Read, FileShare.Read);
- var handle = stream.SafeFileHandle;
-
- Console.Out.WriteLine("About to call InstallELAMCertificateInfo on handle {0}", handle.DangerousGetHandle());
- if (!InstallELAMCertificateInfo(handle))
- {
- Console.Out.WriteLine("Call failed.");
- throw new Win32Exception(Marshal.GetLastWin32Error());
- }
- Console.Out.WriteLine("Call successful.");
- }
- }
- '@
-
- $driverPath = $env:SystemRoot + "\System32\Drivers\WdBoot.sys"
- [Elam]::InstallWdBoot($driverPath)
- ```
+ 
diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
index db70905251..4cb0a35b53 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -64,6 +64,12 @@ EU region:
See the topic [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors.
+### Windows Defender ATP service fails to start after a reboot and shows error 577
+
+If onboarding endpoints successfully completes but Windows Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy.
+
+For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy).
+
### Related topic
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index b6bf92ce00..b42a844ee5 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -19,6 +19,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| New or changed topic | Description |
| --- | --- |
| [Quick guide to Windows as a service](waas-quick-start.md) | New |
+| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Added video demonstration of the latest in modern management for Windows 10 |
## November 2016
diff --git a/windows/manage/index.md b/windows/manage/index.md
index ac66e4c102..e9e8ac3329 100644
--- a/windows/manage/index.md
+++ b/windows/manage/index.md
@@ -14,6 +14,9 @@ author: jdeckerMS
Learn about managing and updating Windows 10.
+>[!NOTE]
+>Information for Windows 10 Enterprise also applies to Windows 10 IoT Enterprise, and information for Windows 10 Mobile Enterprise also applies to Windows 10 IoT Mobile. For information about managing devices running Windows 10 IoT Core, see [Windows 10 IoT Core Commercialization](https://www.windowsforiotdevices.com/).
+
## In this section
diff --git a/windows/manage/manage-windows-10-in-your-organization-modern-management.md b/windows/manage/manage-windows-10-in-your-organization-modern-management.md
index 0d3374fbca..e0852318ad 100644
--- a/windows/manage/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/manage/manage-windows-10-in-your-organization-modern-management.md
@@ -18,6 +18,10 @@ Your organization might have considered bringing in Windows 10 devices and downg
Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as System Center Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
+This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
+
+
+
This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
- [Deployment and Provisioning](#deployment-and-provisioning)