Merge remote-tracking branch 'refs/remotes/origin/master' into jd-sandbox

.gitignore

@@ -6,7 +6,12 @@ _site/
 Tools/NuGet/
 .optemp/
 
+
 .openpublishing.build.mdproj
 .openpublishing.buildcore.ps1
 packages.config
-browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+windows/keep-secure/index.md
+
+# User-specific files  
+.vs/
+

browsers/edge/Index.md

@@ -12,9 +12,8 @@ title: Microsoft Edge - Deployment Guide for IT Pros (Microsoft Edge for IT Pros
 
 **Applies to:**
 
--   Windows 10
--   Windows 10 Mobile
-
+- Windows 10
+- Windows 10 Mobile
 
 Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge also introduces new features like Web Note, Reading View, and Cortana that you can use along with your normal web browsing abilities.
 
@@ -26,6 +25,7 @@ Microsoft Edge lets you stay up-to-date through the Windows Store and to manage
 | Topic                  | Description                         |
 | -----------------------| ----------------------------------- |
 |[Change history for Microsoft Edge](change-history-for-microsoft-edge.md) |Lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile. |
+|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Guidance about how to use both Microsoft Edge and Internet Explorer 11 in your enterprise.|
 | [Microsoft Edge requirements and language support](hardware-and-software-requirements.md) | Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.|
 | [Available policies for Microsoft Edge](available-policies.md)  | Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. <p>Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. |
 | [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) | If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11. <p>Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. |

browsers/edge/TOC.md

@@ -1,5 +1,6 @@
 #[Microsoft Edge - Deployment Guide for IT Pros](index.md)
 ##[Change history for Microsoft Edge](change-history-for-microsoft-edge.md)
+##[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
 ##[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)
 ##[Available policies for Microsoft Edge](available-policies.md)
 ##[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md)

browsers/edge/available-policies.md

@@ -12,10 +12,8 @@ title: Available policies for Microsoft Edge (Microsoft Edge for IT Pros)
 
 **Applies to:**
 
--   Windows 10 Insider Preview
--   Windows 10 Mobile
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+- Windows 10
+- Windows 10 Mobile
 
 Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
 

browsers/edge/change-history-for-microsoft-edge.md

@@ -9,7 +9,18 @@ ms.sitesec: library
 # Change history for Microsoft Edge
 This topic lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile.
 
-For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/en-us/microsoft-edge/platform/changelog/).
+For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/).
+
+## July 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)| Updated to include a note about the Long Term Servicing Branch (LTSB). |
+
+## July 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) | Content moved from What's New section. |
+|[Available policies for Microsoft Edge](available-policies.md) |Updated |
 
 
 ## June 2016

browsers/edge/emie-to-improve-compatibility.md

@@ -13,7 +13,7 @@ title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros)
 
 **Applies to:**
 
--   Windows 10
+- Windows 10
 
 If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.
 

browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md

@@ -0,0 +1,51 @@
+---
+title: Microsoft Edge and Internet Explorer 11 (Microsoft Edge for IT Pros)
+description: Enterprise guidance for using Microsoft Edge and Internet Explorer 11.
+ms.assetid: 3c5bc4c4-1060-499e-9905-2504ea6dc6aa
+author: eross-msft
+ms.prod: edge
+ms.mktglfcycl: support
+ms.sitesec: library
+ms.pagetype: appcompat
+---
+
+# Browser: Microsoft Edge and Internet Explorer 11
+**Microsoft Edge content applies to:**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+**Internet Explorer 11 content applies to:**
+
+-   Windows 10
+
+## Enterprise guidance
+Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956).
+
+We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
+
+### Microsoft Edge
+Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
+
+-   **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
+-   **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
+-   **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
+-   **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
+
+### IE11
+IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.
+
+-   **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.
+-   **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps.
+-   **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.
+-   **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.
+-   **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.
+-   **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
+
+## Related topics
+- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
+- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
+- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
+- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
+- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index)
+- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)

browsers/edge/hardware-and-software-requirements.md

@@ -13,12 +13,14 @@ title: Microsoft Edge requirements and language support (Microsoft Edge for IT P
 
 **Applies to:**
 
--   Windows 10
--   Windows 10 Mobile
+- Windows 10
+- Windows 10 Mobile
 
 
 Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.
 
+>**Note**<br>The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality, and can't be supported on systems running the LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
+
 ## Minimum system requirements
 Some of the components in this table might also need additional system resources. Check the component's documentation for more information.
 

browsers/edge/security-enhancements-microsoft-edge.md

@@ -8,6 +8,12 @@ title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)
 ---
 
 # Security enhancements for Microsoft Edge
+
+**Applies to:**
+
+- Windows 10
+- Windows 10 Mobile
+
 Microsoft Edge is designed with significant security improvements, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows.
 
 ## Help to protect against web-based security threats
@@ -43,15 +49,15 @@ Microsoft Edge has a new rendering engine, Microsoft EdgeHTML, which is focused
 
 The Microsoft EdgeHTML engine also helps to defend against hacking through these new security standards features:
 
-- Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks.
+- Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks.
 
-- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured.
+- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured.
 
     **Note**<br>
     Both Microsoft Edge and Internet Explorer 11 support HSTS.
 
 #### All web content runs in an app container sandbox
-Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](http://windows.microsoft.com/en-US/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins.
+Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](http://windows.microsoft.com/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins.
 
 Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Windows 8 app container technology, providing a stronger sandbox by adding deny-by-default and no-read-up semantics. EPM was turned on by default in the Windows 8 and Windows 8.1 immersive browser, but was optional on the Internet Explorer 10 and Internet Explorer 11 desktop versions.
 
@@ -68,10 +74,10 @@ The value of running 64-bit all the time is that it strengthens Windows Address
 #### New extension model and HTML5 support
 Back in 1996, we introduced ActiveX for web browser extensions in an attempt to let 3rd parties experiment with various forms of alternate content on the web. However, we quickly learned that browser extensions can come at a cost of security and reliability. For example, binary extensions can bring code and data into the browser’s processes without any protection, meaning that if anything goes wrong, the entire browser itself can be compromised or go down.
 
-Based on that learning, we’ve stopped supporting binary extensions in Microsoft Edge and instead encourage everyone to use our new, scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/en-us/microsoft-edge/extensions/).
+Based on that learning, we’ve stopped supporting binary extensions in Microsoft Edge and instead encourage everyone to use our new, scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/).
 
 #### Reduced attack surfaces
-In addition to removing support for VBScript, Jscript, VML, Browser Helper Objects, Toolbars, and ActiveX controls, Microsoft Edge also removed support for legacy Internet Explorer [document modes](https://msdn.microsoft.com/en-us/library/jj676915.aspx). Because many IE browser vulnerabilities are only present in legacy document modes, removing support for document modes significantly reduces attack surface, making the browser much more secure than before. However, it also means that it’s not as backward compatible.
+In addition to removing support for VBScript, Jscript, VML, Browser Helper Objects, Toolbars, and ActiveX controls, Microsoft Edge also removed support for legacy Internet Explorer [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Because many IE browser vulnerabilities are only present in legacy document modes, removing support for document modes significantly reduces attack surface, making the browser much more secure than before. However, it also means that it’s not as backward compatible.
 
 Because of the reduced backward compatibility, we’ve given Microsoft Edge the ability to automatically fall back to Internet Explorer 11, using the Enterprise Mode Site List, for any apps that need backward compatibility.
 

browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md

@@ -21,7 +21,7 @@ title: System requirements and language support for Internet Explorer 11 (IE11)
 Internet Explorer 11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support.
 
 ## Minimum system requirements for IE11
-IE11 is pre-installed on Windows 8.1 and Windows Server 2012 R2 and is listed here for reference. It's also supported on Windows 10, but isn't pre-installed. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/en-us/library/mt156988.aspx).
+IE11 is pre-installed on Windows 8.1 and Windows Server 2012 R2 and is listed here for reference. It's also supported on Windows 10, but isn't pre-installed. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/library/mt156988.aspx).
 
 **Important**<br> 
 IE11 isn't supported on Windows 8 or Windows Server 2012.

devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md

@@ -8,7 +8,6 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
-localizationpriority: high
 ---
 
 # Appendix: PowerShell (Surface Hub)
@@ -35,7 +34,7 @@ You can check online for updated versions at [Surface Hub device account scripts
 What do the scripts do?
 
 -   Create device accounts for setups using pure single-forest on-premises (Microsoft Exchange and Skype 2013 and later only) or online (Microsoft Office 365), that are configured correctly for your Surface Hub.
--   Validate existing device accounts for any setup (on-premises, online, or hybrid using Exchange or Lync 2010 or later) to make sure they're compatible with Surface Hub.
+-   Validate existing device accounts for any setup (on-premises or online) to make sure they're compatible with Surface Hub.
 -   Provide a base template for anyone wanting to create their own device account creation or validation scripts.
 
 What do you need in order to run the scripts?

devices/surface-hub/create-and-test-a-device-account-surface-hub.md

@@ -116,8 +116,6 @@ You can check online for updated versions at [Surface Hub device account scripts
 
 Your infrastructure will likely fall into one of three configurations. Which configuration you have will affect how you prepare for device setup.
 
-![Image showing deployment options: online, on-premises, or hybrid.](images/deploymentoptions-01.png)
-
 -   [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md): Your organization’s environment is deployed entirely on Office 365.
 -   [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md): Your organization has servers that it controls, where Active Directory, Exchange, and Skype for Business (or Lync) are hosted.
 -   [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md): Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365.

devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md

@@ -16,7 +16,7 @@ localizationpriority: high
 
 This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
 
-If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, or are using Exchange 2010 or Lync 2010, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section.
+If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section.
 
 1.  Start a remote PowerShell session from a PC and connect to Exchange.
 

devices/surface-hub/online-deployment-surface-hub-device-accounts.md

@@ -16,7 +16,7 @@ localizationpriority: high
 
 This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment.
 
-If you have a pure, online (O365) deployment, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-os356-ps-scripts) to create device accounts. If you’re using Microsoft Exchange 2010 or Lync 2010, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section.
+If you have a pure, online (O365) deployment, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-os356-ps-scripts) to create device accounts. 
 
 1.  Start a remote PowerShell session on a PC and connect to Exchange.
 

devices/surface/ethernet-adapters-and-surface-device-deployment.md

@@ -58,8 +58,7 @@ To boot a Surface device from an alternative boot device, follow these steps:
 >**Note:**  In addition to an Ethernet adapter, a keyboard must also be connected to the Surface device to enter the preinstallation environment and navigate the deployment wizard.
 
  
-
-To support booting from the network in a Windows Preinstallation Environment (WinPE), such as is used in the Microsoft Deployment Toolkit and Configuration Manager, you must add drivers for the Ethernet adapter to WinPE. You can download the drivers for Surface Ethernet adapters from the Microsoft Download Center page for your specific device. For a list of the available downloads for Surface devices, see [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+For Windows 10, version 1511 and later – including the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10, version 1511 – the drivers for Microsoft Surface Ethernet Adapters are present by default. If you are using a deployment solution that uses Windows Preinstallation Environment (WinPE), like the Microsoft Deployment Toolkit, and booting from the network with PXE, ensure that your deployment solution is using the latest version of the Windows ADK.
 
 ## <a href="" id="manage-mac-addresses"></a>Manage MAC addresses with removable Ethernet adapters
 

education/windows/TOC.md

@@ -1,14 +1,20 @@
 # [Windows 10 for education](index.md)
 ## [Change history for Windows 10 for Education](change-history-edu.md)
 ## [Windows 10 editions for education customers](windows-editions-for-education-customers.md)
-## [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md)
-## [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md)
+## [Setup options for Windows 10](set-up-windows-10.md)
+### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
+### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
+### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
+### [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
 ## [Get Minecraft Education Edition](get-minecraft-for-education.md)
 ### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
 ### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
-## [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md)
-### [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md)
-### [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md)
-### [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) 
+## [Take tests in Windows 10 ](take-tests-in-windows-10.md)
+### [Set up Take a Test on a single PC ](take-a-test-single-pc.md)
+### [Set up Take a Test on multiple PCs ](take-a-test-multiple-pcs.md)
+### [Take a Test app technical reference ](take-a-test-app-technical.md)
+## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
 ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
-## [Chromebook migration guide](chromebook-migration-guide.md)
+## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
+## [Chromebook migration guide](chromebook-migration-guide.md)
+

education/windows/change-history-edu.md

@@ -12,11 +12,25 @@ author: jdeckerMS
 
 This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
 
+
+## RELEASE: Windows 10, version 1607
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: 
+
+- [Set up Windows 10](set-up-windows-10.md)
+- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
+- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
+- [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
+
+
 ## July 2016
 
+
 | New or changed topic | Description|
 | --- | --- |
 | [Windows 10 editions for education customers](windows-editions-for-education-customers.md)  | New |
+|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New |
+
+
 
 ## June 2016
 

education/windows/edu-deployment-recommendations.md

@@ -0,0 +1,127 @@
+---
+title: Deployment recommendations for school IT administrators
+description: Provides guidance on ways to customize the OS privacy settings, as well as some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
+keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school"]
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: CelesteDG
+---
+
+# Deployment recommendations for school IT administrators
+**Applies to:**
+
+-   Windows 10
+
+
+Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, as well as some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](http://go.microsoft.com/fwlink/?LinkId=809305).
+
+Here are some best practices and specific privacy settings we’d like you to be aware of.
+
+## Deployment best practices
+
+Keep these best practices in mind when deploying any edition of Windows 10 in schools or districts:
+* A Microsoft account is only intended for consumer services. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, and so on. For schools, consider using mobile device management (MDM) or Group Policy to block students from adding a Microsoft account as a secondary account.
+
+* If schools allow the use of personal accounts by their students to access personal services, schools should be aware that these accounts belong to individuals, not the school.
+* IT administrators, school officials, and teachers should also consider ratings when picking apps from the Windows Store.
+
+## Windows 10 Contacts privacy settings
+
+If you’re an IT administrator who deploys Windows 10 in a school or district, we recommend that you review these deployment resources to make informed decisions about how you can configure telemetry for your school or district:
+* [Configure Windows telemetry in your organization](http://go.microsoft.com/fwlink/?LinkId=817241) - Describes the types of telemetry we gather and the ways you can manage this data.
+* [Manage connections from Windows operating system components to Microsoft services](http://go.microsoft.com/fwlink/?LinkId=817240) - Learn about network connections that Windows components make to Microsoft and also the privacy settings (such as location, camera, messaging, and more) that affect data that is shared with either Microsoft or apps and how you can manage this data.
+
+In particular, the **Contacts** area in the **Settings** > **Privacy** section lets you choose which apps can access a student’s contacts list. By default, this setting is turned on.
+
+To change the setting, you can:
+* [Turn off access to contacts for all apps](#turn-off-access-to-contacts-for-all-apps)
+* [Choose the apps that you want to allow access to contacts](#choose-the-apps-that-you-want-to-allow-access-to-contacts)
+
+### Turn off access to contacts for all apps
+To turn off access to contacts for all apps on individual Windows devices:
+1. On the computer, go to **Settings** and select **Privacy**.
+
+   ![Privacy settings](images/settings-privacy-marked.png)
+
+2. Under the list of **Privacy** areas, select **Contacts**.
+
+   ![Contacts privacy settings](images/privacy-contacts-marked.png)
+
+3. Turn off **Let apps access my contacts**.
+
+For IT-managed Windows devices, you can use a Group Policy to turn off the setting. To do this:
+1. Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**.
+2. Set the **Select a setting** box to **Force Deny**.
+
+### Choose the apps that you want to allow access to contacts
+If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off.
+
+![Choose apps with access to contacts](images/settings-contacts-app-marked.png)
+
+The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts.
+
+To allow only certain apps to have access to contacts, you can:
+* Configure each app individually using the **Settings** > **Contacts** option in the Windows UI
+* Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce.
+
+   ![App privacy Group Policy](images/app-privacy-group-policy.png)
+
+## Skype and Xbox settings
+
+Skype Preview (a Universal Windows Platform [UWP] preview app) and Xbox are preinstalled as part of Windows 10.
+
+The Skype app replaces the integration of Skype features into Skype video and Messaging apps on Windows PCs and large tablets. The Skype app provides all these features in one place and lets users have a single place to manage both their chat and voice conversations so they can take better advantage of their screen. For information about the new Skype UWP app preview, see this [FAQ](http://go.microsoft.com/fwlink/?LinkId=821441).
+
+With the Xbox app, students can use their Xbox profiles to play and make progress on their games using their Windows-based device. They can also unlock achievements and show off to their friends with game clips and screenshots. The Xbox app requires a Microsoft account, which is a personal account.
+
+Both Skype and Xbox include searchable directories that let students find other people to connect to. The online privacy and security settings for Skype and Xbox are not manageable through Group Policy so we recommend that school IT administrators and school officials let parents and students know about these searchable directories.
+
+If the school allows the use of personal or Microsoft account in addition to organization accounts, we also recommend that IT administrators inform parents and students that they can optionally remove any identifying information from the directories by:
+* [Managing the user profile](#managing-the-user-profile)
+* [Deleting the account if the user name is part of the identifying information](#delete-an-account-if-username-is-identifying)
+
+### Managing the user profile
+#### Skype
+Skype uses the user’s contact details to deliver important information about the account and it also lets friends find each other on Skype.
+
+To manage and edit your profile in the Skype UWP app, follow these steps:
+1.	In the Skype UWP app, select the user profile icon  ![Skype profile icon](images/skype-profile-icon.png)  to go to the user’s profile page.
+2.	In the **Accounts** section, select **Manage** for the Skype account that you want to change. This will take you to the online Skype portal.
+3.	In the online Skype portal, scroll down to the Account details section. In Settings and preferences, select Edit profile.
+The profile page includes these sections:
+	 * Profile completeness
+   * Personal information
+   * Contact details
+4. Review the information in each section and click **Edit** to change the information being shared.
+5.	If you do not wish your name to be included, replace the fields with **XXX**.
+6.	To change your profile picture, simply click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
+
+   ![Skype profile icon](images/skype-manage-profile-pic.png)
+
+   * To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**).
+   * You can also change the visibility of your profile picture between public (everyone) or your contacts only. To change the profile picture visibility, select the dropdown under **Profile picture** and choose between **Show to everyone** or **Show to contacts only**.
+
+#### Xbox
+A user’s Xbox friends and their friends’ friends can see their real name and profile. By default, the Xbox privacy settings enforce that no personal identifying information of a minor is shared on the Xbox Live network, although adults in the child’s family can change these default settings to allow it to be more permissive.
+
+To learn more about how families can manage security and privacy settings on Xbox, see this [Xbox article on security](http://go.microsoft.com/fwlink/?LinkId=821445).
+
+
+### Delete an account if username is identifying
+If you want to delete either (or both) the Skype and the Xbox accounts, here’s how to do it.
+
+#### Skype
+To delete a Skype account, you can follow the instructions here: [How do I close my Skype account?](http://go.microsoft.com/fwlink/?LinkId=816515)
+
+If you need help deleting the account, you can contact Skype customer service by going to the [Skype support request page](http://go.microsoft.com/fwlink/?LinkId=816519). You may need to sign in and specify a Skype account. Once you’ve signed in, you can:
+1.	Select a help topic (**Account and Password**)
+2.	Select a related problem (**Deleting an account**)
+3.	Click **Next**.
+4.	Select a contact method to get answers to your questions.
+
+
+#### Xbox
+To delete an Xbox account, you can follow the instructions here: [How to delete your Microsoft account and personal information associated with it](http://go.microsoft.com/fwlink/?LinkId=816521).
+
+## Related topics
+[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)

education/windows/index.md

@@ -18,11 +18,12 @@ author: jdeckerMS
 |Topic |Description |
 |------|------------|
 | [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education.  |
-| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | Learn how the Set up School PCs app works and how to use it.  |
-| [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md) | See the changes that the Set up School PCs app makes to a PC.  |
+| [Provisioning options for Windows 10](set-up-windows-10.md) | Learn about your options for setting up Windows 10.  |
 | [Get Minecraft Education Edition](get-minecraft-for-education.md) | Learn how to get early access to **Minecraft Education Edition**. |
 | [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the **Take a Test** app in Windows 10 |
-| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. |
+| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. |
+| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in a school. |
+| [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) |Learn how to deploy Windows 10 in a school district.|
 | [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. |
 
 ## Related topics

education/windows/set-up-school-pcs-technical.md

@@ -9,15 +9,14 @@ ms.pagetype: edu
 author: jdeckerMS
 ---
 
-# Technical reference for the Set up School PCs app (Preview)
+# Technical reference for the Set up School PCs app 
 **Applies to:**
 
--   Windows 10 Insider Preview 
+-   Windows 10 
 
 
-> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
 
-The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607. **Set up School PCs** also configures school-specific settings and policies, described in this topic.
+The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607.  **Set up School PCs** also configures school-specific settings and policies, described in this topic.
 
 If your school uses Azure Active Directory (Azure AD) or Office 365, the **Set up School PCs** app will create a setup file that connects the computer to your subscription.  You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. 
 
@@ -91,7 +90,6 @@ The **Set up School PCs** app produces a specialized provisioning package that m
 
 - Saving content locally to the PC is disabled. This prevents data loss by forcing students to save to the cloud.
 - A custom Start layout and sign in background image are set.
-- Prohibits Microsoft Accounts (MSAs) from being created.
 - Prohibits unlocking the PC to developer mode.
 - Prohibits untrusted Windows Store apps from being installed.
 - Prohibits students from removing MDM.
@@ -243,7 +241,7 @@ The **Set up School PCs** app produces a specialized provisioning package that m
 </tr> 
 <tr> <td colspan="2"> <p> <strong>Windows Settings</strong> > <strong>Security Settings</strong> > <strong>Local Policies</strong> > <strong>Security Options</strong></p> </td> 
 </tr> 
-<tr><td><p>Accounts: Block Microsoft accounts</p></td><td><p>Enabled</p></td></tr>
+<tr><td><p>Accounts: Block Microsoft accounts</p><p>**Note** Microsoft accounts can still be used in apps.</p></td><td><p>Enabled</p></td></tr>
 <tr> <td> <p> Interactive logon: Do not display last user name </p> </td> <td> <p> Enabled</p> </td>
 </tr> 
 <tr> <td> <p> Interactive logon: Sign-in last interactive user automatically after a system-initiated restart</p> </td> <td> <p> Disabled</p> </td> 

education/windows/set-up-students-pcs-to-join-domain.md

@@ -0,0 +1,93 @@
+---
+title: Set up student PCs to join domain
+description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
+keywords: ["shared cart", "shared PC", "school"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Set up student PCs to join domain
+**Applies to:**
+
+-   Windows 10  
+
+If your school uses Active Directory, use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package that will configure a PC for student use that is joined to the Active Directory domain. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 
+
+## Create the provisioning package
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Provision school devices**. 
+
+  ![Provision school devices](images/icdstart-option.png)
+
+3. Name your project and click **Finish**. The screens for school provisioning will walk you through the following steps.
+
+   ![Wizard for school provisioning](images/icd-school.png)
+
+4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
+
+5. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
+    - Home to Education
+    - Pro to Education
+    - Pro to Enterprise
+    - Enterprise to Education
+ 
+6. Click **Set up network**.
+
+7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
+
+8. Click **Enroll into Active Directory**.
+
+9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account.
+
+    > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
+      - Use a least-privileged domain account to join the device to the domain.
+      - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
+      - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
+
+10. Click **Set up school settings**.
+
+11. Toggle **Yes** or **No** to configure the PC for shared use. 
+
+12. (Optional) Toggle **Yes** or **No** to configure the PC for secure testing. If you select **Yes**, you must also enter the test account to be used and the URL for the test. If you don't configure the test account and URL in this provisioning package, you can do so after the PC is configured; for more information, see [Take tests in Windows 10](take-tests-in-windows-10.md).
+
+10. Click **Finish**.
+
+11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
+
+12. Click **Create**.
+
+13. You will see the file path for your provisioning package (by default, %windir%\Users\*your alias*\Windows Imaging and Configuration Designer (WICD)\*Project name*). Copy the provisioning package to a USB drive.
+
+> **Important**  When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+## Apply package
+
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+    ![The first screen to set up a new PC](images/oobe.jpg)
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/setupmsg.jpg)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/prov.jpg)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+    ![Choose a package](images/choose-package-icd.png)
+
+5. Select **Yes, add it**.
+
+    ![Do you trust this package?](images/trust-package.png)
+    
+When you see the progress ring, you can remove the USB drive.
+
+    
+

education/windows/set-up-students-pcs-with-apps.md

@@ -0,0 +1,217 @@
+---
+title: Provision student PCs with apps
+description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
+keywords: ["shared cart", "shared PC", "school"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Provision student PCs with apps
+**Applies to:**
+
+-   Windows 10  
+
+
+This topic explains how to create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
+
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. 
+
+If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Add apps to a provisioning package](#add-apps-to-a-provisioning-package). If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md), and then follow the steps in [Create a provisioning package to add apps after initial setup](#create-a-provisioning-package-to-add-apps-after-initial-setup).
+
+## Add apps to a provisioning package
+
+1. Follow the steps to [create the provisioning package](set-up-students-pcs-to-join-domain.md#create-the-provisioning-package). 
+
+2. On the **Finish** page, select **Switch to advanced editor**.
+
+  ![Switch to advanced editor](images/icd-school-adv-edit.png)
+
+**Next steps**
+- [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
+- [Add a universal app to your package](#add-a-universal-app-to-your-package)
+- [Build your package](#build-your-package)
+- [Apply the provisioning package to a PC](#apply-package)
+
+
+## Create a provisioning package to add apps after initial setup
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Advanced provisioning**.
+
+  ![ICD start options](images/icdstart-option.png)  
+  
+3. Name your project and click **Next**.
+
+3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.  
+
+**Next steps**
+- [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
+- [Add a universal app to your package](#add-a-universal-app-to-your-package)
+- [Build your package](#build-your-package)
+- [Apply the provisioning package to a PC](#apply-package)
+
+
+## Add a desktop app to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**. 
+
+2. Add all the files required for the app install, including the data files and the installer.
+
+3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the msiexec /quiet option. 
+
+> **Note**: If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703295%28v=vs.85%29.aspx). 
+
+**Next steps**
+- (optional) [Add a universal app to your package](#add-a-universal-app-to-your-package)
+- [Build your package](#build-your-package)
+- [Apply the provisioning package to a PC](#apply-package)
+
+## Add a universal app to your package
+
+Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. 
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. 
+
+2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page.
+
+    ![details for offline app package](images/uwp-family.png)
+
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. 
+
+    ![required frameworks for offline app package](images/uwp-dependencies.png)
+
+5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Windows Store for Business, you generate the license for the app on the app's download page.
+
+    ![generate license for offline app](images/uwp-license.png)
+
+[Learn more about distributing offline apps from the Windows Store for Business.](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps)
+
+> **Note:** Removing a provisioning package will not remove any apps installed by device context in that provisioning package.
+
+**Next steps**
+- (optional) [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
+- [Build your package](#build-your-package)
+- [Apply the provisioning package to a PC](#apply-package)
+
+## Build your package
+
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
+
+2. Read the warning that project files may contain sensitive information, and click **OK**.
+> **Important**  When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+3. On the **Export** menu, click **Provisioning package**.
+
+1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+10. Set a value for **Package Version**.
+
+    **Tip**  
+    You can make changes to existing packages and change the version number to update previously applied packages.
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
+        **Important**  
+        We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
+
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
+Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+    -   Shared network folder
+
+    -   SharePoint site
+
+    -   Removable media (USB/SD)
+
+   
+**Next step**
+- [Apply the provisioning package to a PC](#apply-package)
+
+## Apply package 
+
+**During initial setup, from a USB drive**
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+    ![The first screen to set up a new PC](images/oobe.jpg)
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/setupmsg.jpg)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/prov.jpg)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+    ![Choose a package](images/choose-package.png)
+
+5. Select **Yes, add it**.
+
+    ![Do you trust this package?](images/trust-package.png)
+    
+6. Read and accept the Microsoft Software License Terms.  
+
+    ![Sign in](images/license-terms.png)
+    
+7. Select **Use Express settings**.
+
+    ![Get going fast](images/express-settings.png)
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+    ![Who owns this PC?](images/who-owns-pc.png)
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+    ![Connect to Azure AD](images/connect-aad.png)
+
+10. Sign in with  your domain, Azure AD,  or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+    ![Sign in](images/sign-in-prov.png)
+
+    
+**After setup, from a USB drive, network folder, or SharePoint site**
+
+On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and select the package to install. 
+
+![add a package option](images/package.png)
+
+
+
+## Learn more
+
+-  [Develop Universal Windows Education apps](https://msdn.microsoft.com/windows/uwp/apps-for-education/index)
+
+-   [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
+
+-   Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+-   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
+ 
+

education/windows/set-up-windows-10.md

@@ -0,0 +1,37 @@
+---
+title: Provisioning options for Windows 10
+description: Decide which option for setting up Windows 10 is right for you.
+keywords: shared cart, shared PC, school
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+author: jdeckerMS
+---
+
+# Provisioning options for Windows 10
+**Applies to:**
+
+-   Windows 10 
+
+You have two tools to choose from to set up PCs for your classroom: **Set up School PCs** app and the **Provision school devices** option in Windows Imaging and Configuration Designer (ICD). Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account). The following diagram compares the tools.
+
+![Which tool to use to set up Windows 10](images/setup-options.png)
+
+
+## In this section
+
+- [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md)
+- [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md)
+- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
+- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
+
+
+## Related topics
+
+[Take tests in Windows 10](take-tests-in-windows-10.md)
+
+[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
+
+
+

education/windows/take-a-test-app-technical.md

@@ -9,13 +9,12 @@ ms.pagetype: edu
 author: jdeckerMS
 ---
 
-# Take a Test app technical reference (Preview)
+# Take a Test app technical reference 
 **Applies to:**
 
--   Windows 10 Insider Preview 
+-   Windows 10 
 
 
-> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
 
 Take a Test is an app that locks down the PC and displays an online assessment web page.   
 
@@ -32,7 +31,9 @@ When running above the lock screen:
 
 - The hardware print screen button is disabled 
 
-- Content within the app will show up as black in screen capturing/sharing software Copy/paste is disabled 
+- Content within the app will show up as black in screen capturing/sharing software 
+
+- System clipboard is cleared 
 
 - Web apps can query the processes currently running in the user’s device
 
@@ -79,5 +80,7 @@ When Take a Test is running, the following functionality is available to student
     - Alt+F4 (**Take a Test** will restart if the student is using a dedicated test account)
 
 
+## Learn more
 
+[Take a Test API](https://msdn.microsoft.com/en-us/windows/uwp/apps-for-education/take-a-test-api)
 

education/windows/take-a-test-multiple-pcs.md

@@ -9,14 +9,12 @@ ms.pagetype: edu
 author: jdeckerMS
 ---
 
-# Set up Take a Test on multiple PCs (Preview)
+# Set up Take a Test on multiple PCs 
 **Applies to:**
 
--   Windows 10 Insider Preview  
+-   Windows 10  
 
 
-> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
-
 Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
 
 - A Microsoft Edge browser window opens, showing just the test and nothing else.

education/windows/take-a-test-single-pc.md

@@ -9,14 +9,12 @@ ms.pagetype: edu
 author: jdeckerMS
 ---
 
-# Set up Take a Test on a single PC (Preview)
+# Set up Take a Test on a single PC 
 **Applies to:**
 
--   Windows 10 Insider Preview  
+-   Windows 10  
 
 
-> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
-
 The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
 
 - A Microsoft Edge browser window opens, showing just the test and nothing else.

education/windows/take-tests-in-windows-10.md

@@ -9,14 +9,12 @@ ms.pagetype: edu
 author: jdeckerMS
 ---
 
-# Take tests in Windows 10 (Preview)
+# Take tests in Windows 10 
 **Applies to:**
 
--   Windows 10 Insider Preview  
+-   Windows 10   
 
 
-> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
-
 Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
 
 - **Take a Test** shows just the test and nothing else.

education/windows/use-set-up-school-pcs-app.md

@@ -9,13 +9,12 @@ ms.pagetype: edu
 author: jdeckerMS
 ---
 
-# Use the Set up School PCs app (Preview)
+# Use the Set up School PCs app 
 **Applies to:**
 
--   Windows 10 Insider Preview  
+-   Windows 10   
 
 
-> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
 
 Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
 

windows/deploy/TOC.md

@@ -47,8 +47,10 @@
 ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
 ## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
 ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
+## [Provisioning packages for Windows 10](provisioning-packages.md)
+### [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md)
+### [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md)
 ## [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
-## [Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md)
 ## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md)
 ## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md)
 ## [Volume Activation [client]](volume-activation-windows-10.md)

windows/deploy/activate-using-active-directory-based-activation-client.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: greg-lindsay
+localizationpriority: medium
 ---
 
 # Activate using Active Directory-based activation

windows/deploy/activate-using-key-management-service-vamt.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Activate using Key Management Service

windows/deploy/activate-windows-10-clients-vamt.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Activate clients running Windows 10

windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: medium
 ---
 # Appendix: Information sent to Microsoft during activation
 **Applies to**

windows/deploy/change-history-for-deploy-windows-10.md

@@ -11,10 +11,18 @@ author: greg-lindsay
 # Change history for Deploy Windows 10
 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+## RELEASE: Windows 10, version 1607
+
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: 
+
+- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [Provision PCs with apps and certificates for initial deployment](provision-pcs-with-apps-and-certificates.md)
+- [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md)
+
 ## July 2016
 | New or changed topic | Description |
 |----------------------|-------------|
-| [Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) | New | 
+| [Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) | New |
 
 ## June 2016
 | New or changed topic | Description |
@@ -44,12 +52,3 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc
 - [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
 - [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
 - [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
-
- 
-
- 
-
-
-
-
-

windows/deploy/index.md

@@ -15,7 +15,6 @@ Learn about deploying Windows 10 for IT professionals.
 
 |Topic |Description |
 |------|------------|
-|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
 |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
 |[Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) |With Upgrade Analytics, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | 
 |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. |
@@ -24,13 +23,15 @@ Learn about deploying Windows 10 for IT professionals.
 |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
 |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
+| [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) | Create a provisioning package to apply commonly used settings to a PC running Windows 10. |
+|  [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md) | Create a provisioning package to add apps and certificates to a PC running Windows 10. |
 |[Windows 10 upgrade paths](windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. |
 |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) |Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. |
 |[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |
 |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md) |Sideload line-of-business apps in Windows 10. |
 |[Volume Activation [client]](volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. |
 |[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. |
+|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
 
 ## Related topics
 - [Windows 10 and Windows 10 Mobile](../index.md)

windows/deploy/monitor-activation-client.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: greg-lindsay
+localizationpriority: medium
 ---
 
 # Monitor activation

windows/deploy/plan-for-volume-activation-client.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Plan for volume activation

windows/deploy/provision-pcs-for-initial-deployment.md

@@ -0,0 +1,133 @@
+---
+title: Provision PCs with common settings (Windows 10)
+description: Create a provisioning package to apply common settings to a PC running Windows 10. 
+ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
+keywords: ["runtime provisioning", "provisioning package"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Provision PCs with common settings for initial deployment (simple provisioning)
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic explains how to create and apply a simple provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home.
+
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. 
+
+## Advantages
+-   You can configure new devices without reimaging.
+
+-   Works on both mobile and desktop devices.
+
+-   No network connectivity required.
+
+-   Simple to apply.
+
+[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md)
+
+## What does simple provisioning do?
+
+In a simple provisioning package, you can configure:
+
+- Device name
+- Upgraded product edition
+- Wi-Fi network 
+- Active Directory enrollment
+- Local administrator account 
+
+Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. To learn about provisioning packages that include more than the settings in a simple provisioning package, see [Provision PCs with apps and certificates](provision-pcs-with-apps-and-certificates.md). 
+
+> [!TIP]
+> Use simple provisioning to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
+
+![open advanced editor](images/icd-simple-edit.png)
+
+## Create the provisioning package
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Simple provisioning**.
+
+  ![ICD start options](images/icdstart-option.png)   
+
+3. Name your project and click **Finish**. The screens for simple provisioning will walk you through the following steps.
+
+  ![ICD simple provisioning](images/icd-simple.png)
+
+4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
+
+5. (*Optional*) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
+    - Pro to Education
+    - Pro to Enterprise
+    - Enterprise to Education
+   
+6. Click **Set up network**.
+
+7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
+
+8. Click **Enroll into Active Directory**.
+
+9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (*Optional*) Enter a user name and password to create a local administrator account.
+
+    > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
+      - Use a least-privileged domain account to join the device to the domain.
+      - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
+      - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
+
+10. Click **Finish**.
+
+11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
+
+12. Click **Create**.
+
+> [!IMPORTANT]
+> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+## Apply package
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+    ![The first screen to set up a new PC](images/oobe.jpg)
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/setupmsg.jpg)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/prov.jpg)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+    ![Choose a package](images/choose-package.png)
+
+5. Select **Yes, add it**.
+
+    ![Do you trust this package?](images/trust-package.png)
+    
+
+
+## Learn more
+-   [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
+
+-   Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+-   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+ 
+
+ 
+
+
+
+
+

windows/deploy/provision-pcs-with-apps-and-certificates.md

@@ -0,0 +1,227 @@
+---
+title: Provision PCs with apps and certificates (Windows 10)
+description: Create a provisioning package to apply settings to a PC running Windows 10. 
+ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
+keywords: ["runtime provisioning", "provisioning package"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Provision PCs with apps and certificates for initial deployment (advanced provisioning)
+
+
+**Applies to**
+
+- Windows 10
+
+
+This topic explains how to create and apply a provisioning package that contains apps and certificates to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
+
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. 
+
+## Advantages
+-   You can configure new devices without reimaging.
+
+-   Works on both mobile and desktop devices.
+
+-   No network connectivity required.
+
+-   Simple to apply.
+
+[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md)
+
+## Create the provisioning package
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Advanced provisioning**.
+
+  ![ICD start options](images/icdstart-option.png)  
+  
+3. Name your project and click **Next**.
+
+3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.  
+
+
+### Add a desktop app to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**. 
+
+2. Add all the files required for the app install, including the data files and the installer.
+
+3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option. 
+
+> [!NOTE]
+> If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/library/windows/hardware/mt703295%28v=vs.85%29.aspx). 
+
+
+### Add a universal app to your package
+
+Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](../manage/acquire-apps-windows-store-for-business.md), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. 
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. 
+
+2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page.
+
+    ![details for offline app package](images/uwp-family.png)
+
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. 
+
+    ![required frameworks for offline app package](images/uwp-dependencies.png)
+
+5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Windows Store for Business, you generate the license for the app on the app's download page.
+
+    ![generate license for offline app](images/uwp-license.png)
+
+[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md)
+
+> [!NOTE]
+> Removing a provisioning package will not remove any apps installed by device context in that provisioning package.
+
+
+
+### Add a certificate to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. 
+
+2. Enter a **CertificateName** and then click **Add**. 
+
+2. Enter the **CertificatePassword**. 
+
+3. For **CertificatePath**, browse and select the certificate to be used. 
+
+4. Set **ExportCertificate** to **False**.
+
+5. For **KeyLocation**, select **Software only**. 
+
+
+### Add other settings to your package 
+
+For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
+
+### Build your package
+
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
+
+2. Read the warning that project files may contain sensitive information, and click **OK**.
+> **Important**  When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+3. On the **Export** menu, click **Provisioning package**.
+
+1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+10. Set a value for **Package Version**.
+
+    > [!TIP]  
+    > You can make changes to existing packages and change the version number to update previously applied packages.
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
+        **Important**  
+        We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
+
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
+Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+    -   Shared network folder
+
+    -   SharePoint site
+
+    -   Removable media (USB/SD)
+
+    -   Email
+
+    -   USB tether (mobile only)
+
+    -   NFC (mobile only)
+
+
+
+## Apply package
+
+### During initial setup, from a USB drive
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+    ![The first screen to set up a new PC](images/oobe.jpg)
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+    ![Set up device?](images/setupmsg.jpg)
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+    ![Provision this device](images/prov.jpg)
+    
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+    ![Choose a package](images/choose-package.png)
+
+5. Select **Yes, add it**.
+
+    ![Do you trust this package?](images/trust-package.png)
+    
+6. Read and accept the Microsoft Software License Terms.  
+
+    ![Sign in](images/license-terms.png)
+    
+7. Select **Use Express settings**.
+
+    ![Get going fast](images/express-settings.png)
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+    ![Who owns this PC?](images/who-owns-pc.png)
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+    ![Connect to Azure AD](images/connect-aad.png)
+
+10. Sign in with  your domain, Azure AD,  or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+    ![Sign in](images/sign-in-prov.png)
+    
+
+### After setup, from a USB drive, network folder, or SharePoint site
+
+On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and select the package to install. 
+
+![add a package option](images/package.png)
+
+## Learn more
+-   [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
+
+-   Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+-   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
+ 
+
+
+
+
+

windows/deploy/provisioning-packages.md

@@ -0,0 +1,141 @@
+---
+title: Provisioning packages (Windows 10)
+description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: mobile
+author: jdeckerMS
+---
+
+# Provisioning packages for Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. 
+
+With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+
+Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
+
+## New in Windows 10, Version 1607
+
+The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. Windows ICD for Windows 10, Version 1607, simplifies common provisioning scenarios. 
+
+![Configuration Designer options](images/icd.png)
+
+Windows ICD in Windows 10, Version 1607, supports the following scenarios for IT administrators:
+
+* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. 
+
+    > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md)
+
+* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. 
+
+    > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](provision-pcs-with-apps-and-certificates.md)
+
+* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: 
+
+    * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) 
+    * AirWatch (password-string based enrollment) 
+    * Mobile Iron (password-string based enrollment) 
+    * Other MDMs (cert-based enrollment) 
+
+> [!NOTE]
+> Windows ICD in Windows 10, Version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index).
+
+## Benefits of provisioning packages
+
+
+Provisioning packages let you:
+
+-   Quickly configure a new device without going through the process of installing a new image.
+
+-   Save time by configuring multiple devices using one provisioning package.
+
+-   Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure.
+
+-   Set up a device without the device having network connectivity.
+
+Provisioning packages can be:
+
+-   Installed using removable media such as an SD card or USB flash drive.
+
+-   Attached to an email.
+
+-   Downloaded from a network share.
+
+## What you can configure
+
+
+The following table provides some examples of what can be configured using provisioning packages.
+
+| Customization options    | Examples                                                                                      |
+|--------------------------|-----------------------------------------------------------------------------------------------|
+| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters |
+| Applications             | Windows apps, line-of-business applications                                                   |
+| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\*                       |
+| Certificates             | Root certification authority (CA), client certificates                                        |
+| Connectivity profiles    | Wi-Fi, proxy settings, Email                                                                  |
+| Enterprise policies      | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
+| Data assets              | Documents, music, videos, pictures                                                            |
+| Start menu customization | Start menu layout, application pinning                                                        |
+| Other                    | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on           |
+\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices.
+ 
+
+For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
+
+## Creating a provisioning package
+
+
+With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must [install the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
+
+When you run ADKsetup.exe for Windows 10, version 1607, select the following feature from the **Select the features you want to install** dialog box:
+
+-   **Configuration Designer**
+
+![Choose Configuration Designer](images/adk-install.png)
+
+> [!NOTE]
+> In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features.
+
+After you install Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
+
+## Applying a provisioning package to a device
+
+
+Provisioning packages can be applied both during image deployment and during runtime. For information on how to apply a provisioning package to a Windows 10-based device, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
+
+## Learn more
+
+
+[Windows 10: Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533708)
+
+## Related topics
+
+- [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md)
+- [Configure devices without MDM](../manage/configure-devices-without-mdm.md)
+- [Set up a shared or guest PC with Windows 10](../manage/set-up-shared-or-guest-pc.md)
+- [Configure devices without MDM](../manage/configure-devices-without-mdm.md)
+- [Set up a device for anyone to use (kiosk mode)](../manage/set-up-a-device-for-anyone-to-use.md)
+- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](../manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+- [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain)
+
+
+
+
+ 
+
+ 
+
+
+
+
+

windows/deploy/use-the-volume-activation-management-tool-client.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Use the Volume Activation Management Tool

windows/deploy/volume-activation-windows-10.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerMS
+localizationpriority: medium
 ---
 
 # Volume Activation for Windows 10

windows/deploy/windows-10-edition-upgrades.md

@@ -17,17 +17,22 @@ author: greg-lindsay
 
 With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md).
 
-The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer.
+The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. 
+
+X = unsupported <BR>
+✔ (green) = supported; reboot required<BR>
+✔ (blue) = supported; no reboot required. 
+
 
 |Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise |
 |-------|-----------|-----------------|----------------|-----------------|----------------|--------|
-| Using mobile device management (MDM) |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |
-| Using a provisioning package |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |
-| Using a command-line tool |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
-| Entering a product key manually |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
+| Using mobile device management (MDM) |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |
+| Using a provisioning package |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |
+| Using a command-line tool |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
+| Entering a product key manually |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
 | Purchasing a license from the Windows Store |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |
 
-**Note**<br>Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
+>**Note**: Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
 
 ## Upgrade using mobile device management (MDM)
 - To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](http://go.microsoft.com/fwlink/p/?LinkID=690907).

windows/deploy/windows-10-upgrade-paths.md

@@ -31,6 +31,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td></td>
         <td>Windows 10 Home</td>
         <td>Windows 10 Pro</td>
+        <td>Windows 10 Pro for Education</td>
         <td>Windows 10 Education</td>
         <td>Windows 10 Enterprise</td>
         <td>Windows 10 Mobile</td>
@@ -44,6 +45,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
         <td></td>
@@ -53,6 +55,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
         <td></td>
@@ -62,6 +65,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
         <td></td>
@@ -72,6 +76,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
     </tr>
@@ -81,6 +86,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
     </tr>
@@ -88,6 +94,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>Enterprise</td>
         <td></td>
         <td></td>
+        <td></td>
         <td>✔</td>
         <td>✔</td>
         <td></td>
@@ -101,6 +108,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
         <td></td>
@@ -111,6 +119,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
     </tr>
@@ -120,6 +129,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
     </tr>
@@ -127,6 +137,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>Enterprise</td>
         <td></td>
         <td></td>
+        <td></td>
         <td>✔</td>
         <td>✔</td>
         <td></td>
@@ -137,6 +148,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td></td>
         <td></td>
         <td></td>
+        <td></td>
         <td>✔</td>
         <td></td>
         <td></td>
@@ -149,6 +161,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td></td>
         <td></td>
         <td></td>
+        <td></td>
     </tr>
     <tr>
         <td>Windows Phone 8</td>
@@ -158,6 +171,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td></td>
         <td></td>
         <td></td>
+        <td></td>
     </tr>
     <tr>
         <td rowspan="10" nowrap="nowrap">Windows 8.1</td>
@@ -167,6 +181,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
         <td></td>
@@ -176,6 +191,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
         <td></td>
@@ -186,6 +202,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
     </tr>
@@ -195,6 +212,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
     </tr>
@@ -204,6 +222,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
     </tr>
@@ -211,6 +230,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>Enterprise</td>
         <td></td>
         <td></td>
+        <td></td>
         <td>✔</td>
         <td>✔</td>
         <td></td>
@@ -221,6 +241,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td></td>
         <td></td>
         <td></td>
+        <td></td>
         <td>✔</td>
         <td></td>
         <td></td>
@@ -233,6 +254,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td></td>
         <td></td>
         <td></td>
+        <td></td>
     </tr>
     <tr>
         <td>Windows Phone 8.1</td>
@@ -240,6 +262,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td></td>
         <td></td>
         <td></td>
+        <td></td>
         <td>✔</td>
         <td></td>
     </tr>
@@ -251,6 +274,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
         <td></td>
@@ -261,6 +285,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>✔</td>
         <td>✔</td>
         <td>✔</td>
+        <td>✔</td>
         <td></td>
         <td></td>
     </tr>
@@ -268,6 +293,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>Education</td>
         <td></td>
         <td></td>
+        <td></td>
         <td>✔</td>
         <td>D</td>
         <td></td>
@@ -277,6 +303,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td>Enterprise</td>
         <td></td>
         <td></td>
+        <td></td>
         <td>✔</td>
         <td>✔</td>
         <td></td>
@@ -288,6 +315,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td></td>
         <td></td>
         <td></td>
+        <td></td>
         <td>✔</td>
         <td>✔</td>
     </tr>
@@ -297,6 +325,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
         <td></td>
         <td></td>
         <td></td>
+        <td></td>
         <td>D</td>
         <td>✔</td>
     </tr>

windows/deploy/windows-deployment-scenarios-and-tools.md

@@ -328,7 +328,7 @@ For more information on UEFI, see the [UEFI firmware](http://go.microsoft.com/fw
 ## Related topics
 
 
-[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md)
+
 
 [Deploy Windows To Go](deploy-windows-to-go.md)
 

windows/keep-secure/.vscode/settings.json

@@ -0,0 +1,4 @@
+// Place your settings in this file to overwrite default and user settings.
+{
+    "update.channel": "none",
+}

windows/keep-secure/TOC.md

@@ -1,39 +1,34 @@
 # [Keep Windows 10 secure](index.md)
-## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md)
 ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-## [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
-### [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+## [Device Guard certification and compliance](device-guard-certification-and-compliance.md)
+### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
+### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md)
+## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
 ### [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-### [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
-### [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
-### [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-### [Event ID 300 - Passport successfully created](passport-event-300.md)
-## [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+### [Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+### [Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+### [Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+### [Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+### [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
 ## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
 ## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
-## [Device Guard deployment guide](device-guard-deployment-guide.md)
-### [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
-### [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
-### [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-### [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
-#### [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
-#### [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
-#### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
-#### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
-### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
 ## [Protect derived domain credentials with Credential Guard](credential-guard.md)
-## [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md)
-### [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)
-#### [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
-##### [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
-##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
-##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
-#### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)
+## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
+## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md)
+### [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
+#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
+##### [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
+##### [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
+##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
+#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
 #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
-### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
+### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
+#### [Windows Information Protection (WIP) overview](wip-enterprise-overview.md)
 #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
-#### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md)
-#### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
+#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
+#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
 ## [VPN profile options](vpn-profile-options.md)
 ## [Windows security baselines](windows-security-baselines.md)
@@ -714,7 +709,12 @@
 ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
 #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
 #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
+#### [Windows Defender Offline in Windows 10](windows-defender-offline.md)
 #### [Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)
+#### [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)
+#### [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)
+#### [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)
+#### [Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)
 #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
 ### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
 #### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)
@@ -827,6 +827,8 @@
 ###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
 ## [Enterprise security guides](windows-10-enterprise-security-guides.md)
 ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
+### [Device Guard deployment guide](device-guard-deployment-guide.md)
 ### [Microsoft Passport guide](microsoft-passport-guide.md)
 ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
 ### [Windows 10 security overview](windows-10-security-guide.md)
+## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md)

windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md

@@ -1,8 +1,8 @@
 ---
-title: Add apps to your enterprise data protection (EDP) policy by using Microsoft Intune and custom URI functionality (Windows 10)
-description: Add apps to your enterprise data protection (EDP) allowed app list, by using the Microsoft Intune custom URI functionality and AppLocker.
+title: Add apps to your Windows Information Protection (WIP) policy by using Microsoft Intune and custom URI functionality (Windows 10)
+description: Add apps to your Windows Information Protection (WIP) allowed app list, by using the Microsoft Intune custom URI functionality and AppLocker.
 ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880
-keywords: EDP, Enterprise Data Protection, protected apps, protected app list
+keywords: WIP, Enterprise Data Protection, protected apps, protected app list
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.pagetype: security
@@ -10,17 +10,15 @@ ms.sitesec: library
 author: eross-msft
 ---
 
-# Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality
+# Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality
 **Applies to:**
 
--   Windows 10 Insider Preview
--   Windows 10 Mobile Preview
+-   Windows 10, version 1607
+-   Windows 10 Mobile
 
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
+You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
 
-You can add apps to your enterprise data protection (EDP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
-
->**Important**  
+>**Important**<br>
 Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
 
 ## Add Store apps
@@ -28,15 +26,15 @@ Results can be unpredictable if you configure your policy using both the UI and
 
 2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**.
 
-    The **Automatically Generate Packaged app Rules** wizard opens, letting you create EDP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
+    The **Automatically Generate Packaged app Rules** wizard opens, letting you create WIP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
 
 3.  In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
 
-    You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
+    You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
 
 4.  Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
 
-    This name should be easily recognizable, such as *EDP_StoreApps_Rules*.
+    This name should be easily recognizable, such as *WIP_StoreApps_Rules*.
 
 5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
 
@@ -67,29 +65,29 @@ Results can be unpredictable if you configure your policy using both the UI and
     ```
 
 15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>
-After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
+After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
 
 ## Add Desktop apps
 1.  Open the Local Security Policy snap-in (SecPol.msc).
 
 2.  In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.
 
-    The **Automatically Generate Executable Rules** wizard opens, letting you create EDP-protected app polices by analyzing the files within a specific folder.
+    The **Automatically Generate Executable Rules** wizard opens, letting you create WIP-protected app polices by analyzing the files within a specific folder.
 
 3.  In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
 
-    You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
+    You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
 
 4.  Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
 
-    This name should be easily recognizable, such as *EDP_DesktopApps_Rules*.
+    This name should be easily recognizable, such as *WIP_DesktopApps_Rules*.
 
 5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
 
     >**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
     
     <p>
-    >**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+    >**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
 
 6.  In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
 
@@ -117,12 +115,12 @@ After saving the policy, you’ll need to deploy it to your employee’s devices
 
 15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
 
-    After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
+    After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
 
 ##Related topics
-- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
-- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
-- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
+- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
+- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
+- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
 
 
  

windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md

@@ -13,7 +13,7 @@ author: brianlic-msft
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016 Technical Preview
+-   Windows Server 2016
 
 
 After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.