Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. | | [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) | If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.
Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. |
diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md
index df9d4246da..fb5ad0c6f2 100644
--- a/browsers/edge/TOC.md
+++ b/browsers/edge/TOC.md
@@ -1,5 +1,6 @@
#[Microsoft Edge - Deployment Guide for IT Pros](index.md)
##[Change history for Microsoft Edge](change-history-for-microsoft-edge.md)
+##[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
##[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)
##[Available policies for Microsoft Edge](available-policies.md)
##[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md)
diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index c56c47624b..3299ef704e 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -12,10 +12,8 @@ title: Available policies for Microsoft Edge (Microsoft Edge for IT Pros)
**Applies to:**
-- Windows 10 Insider Preview
-- Windows 10 Mobile
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+- Windows 10
+- Windows 10 Mobile
Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md
index 4e5796f6bd..61e8ba0de9 100644
--- a/browsers/edge/change-history-for-microsoft-edge.md
+++ b/browsers/edge/change-history-for-microsoft-edge.md
@@ -9,7 +9,18 @@ ms.sitesec: library
# Change history for Microsoft Edge
This topic lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile.
-For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/en-us/microsoft-edge/platform/changelog/).
+For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/).
+
+## July 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)| Updated to include a note about the Long Term Servicing Branch (LTSB). |
+
+## July 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) | Content moved from What's New section. |
+|[Available policies for Microsoft Edge](available-policies.md) |Updated |
## June 2016
diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md
index adb462310e..8e57223ba4 100644
--- a/browsers/edge/emie-to-improve-compatibility.md
+++ b/browsers/edge/emie-to-improve-compatibility.md
@@ -13,7 +13,7 @@ title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros)
**Applies to:**
-- Windows 10
+- Windows 10
If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.
diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
new file mode 100644
index 0000000000..f039e2fc51
--- /dev/null
+++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
@@ -0,0 +1,51 @@
+---
+title: Microsoft Edge and Internet Explorer 11 (Microsoft Edge for IT Pros)
+description: Enterprise guidance for using Microsoft Edge and Internet Explorer 11.
+ms.assetid: 3c5bc4c4-1060-499e-9905-2504ea6dc6aa
+author: eross-msft
+ms.prod: edge
+ms.mktglfcycl: support
+ms.sitesec: library
+ms.pagetype: appcompat
+---
+
+# Browser: Microsoft Edge and Internet Explorer 11
+**Microsoft Edge content applies to:**
+
+- Windows 10
+- Windows 10 Mobile
+
+**Internet Explorer 11 content applies to:**
+
+- Windows 10
+
+## Enterprise guidance
+Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956).
+
+We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
+
+### Microsoft Edge
+Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
+
+- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
+- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
+- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
+- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
+
+### IE11
+IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.
+
+- **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.
+- **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps.
+- **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.
+- **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.
+- **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.
+- **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
+
+## Related topics
+- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
+- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
+- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
+- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
+- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index)
+- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/hardware-and-software-requirements.md
index e7467694cc..169caa75ce 100644
--- a/browsers/edge/hardware-and-software-requirements.md
+++ b/browsers/edge/hardware-and-software-requirements.md
@@ -13,12 +13,14 @@ title: Microsoft Edge requirements and language support (Microsoft Edge for IT P
**Applies to:**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows 10 Mobile
Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.
+>**Note**
The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality, and can't be supported on systems running the LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
+
## Minimum system requirements
Some of the components in this table might also need additional system resources. Check the component's documentation for more information.
diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md
index 9db29bd47d..32fdd307ff 100644
--- a/browsers/edge/security-enhancements-microsoft-edge.md
+++ b/browsers/edge/security-enhancements-microsoft-edge.md
@@ -8,6 +8,12 @@ title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)
---
# Security enhancements for Microsoft Edge
+
+**Applies to:**
+
+- Windows 10
+- Windows 10 Mobile
+
Microsoft Edge is designed with significant security improvements, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows.
## Help to protect against web-based security threats
@@ -43,15 +49,15 @@ Microsoft Edge has a new rendering engine, Microsoft EdgeHTML, which is focused
The Microsoft EdgeHTML engine also helps to defend against hacking through these new security standards features:
-- Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks.
+- Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks.
-- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured.
+- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured.
**Note**
Both Microsoft Edge and Internet Explorer 11 support HSTS.
#### All web content runs in an app container sandbox
-Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](http://windows.microsoft.com/en-US/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins.
+Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](http://windows.microsoft.com/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins.
Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Windows 8 app container technology, providing a stronger sandbox by adding deny-by-default and no-read-up semantics. EPM was turned on by default in the Windows 8 and Windows 8.1 immersive browser, but was optional on the Internet Explorer 10 and Internet Explorer 11 desktop versions.
@@ -68,10 +74,10 @@ The value of running 64-bit all the time is that it strengthens Windows Address
#### New extension model and HTML5 support
Back in 1996, we introduced ActiveX for web browser extensions in an attempt to let 3rd parties experiment with various forms of alternate content on the web. However, we quickly learned that browser extensions can come at a cost of security and reliability. For example, binary extensions can bring code and data into the browser’s processes without any protection, meaning that if anything goes wrong, the entire browser itself can be compromised or go down.
-Based on that learning, we’ve stopped supporting binary extensions in Microsoft Edge and instead encourage everyone to use our new, scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/en-us/microsoft-edge/extensions/).
+Based on that learning, we’ve stopped supporting binary extensions in Microsoft Edge and instead encourage everyone to use our new, scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/).
#### Reduced attack surfaces
-In addition to removing support for VBScript, Jscript, VML, Browser Helper Objects, Toolbars, and ActiveX controls, Microsoft Edge also removed support for legacy Internet Explorer [document modes](https://msdn.microsoft.com/en-us/library/jj676915.aspx). Because many IE browser vulnerabilities are only present in legacy document modes, removing support for document modes significantly reduces attack surface, making the browser much more secure than before. However, it also means that it’s not as backward compatible.
+In addition to removing support for VBScript, Jscript, VML, Browser Helper Objects, Toolbars, and ActiveX controls, Microsoft Edge also removed support for legacy Internet Explorer [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Because many IE browser vulnerabilities are only present in legacy document modes, removing support for document modes significantly reduces attack surface, making the browser much more secure than before. However, it also means that it’s not as backward compatible.
Because of the reduced backward compatibility, we’ve given Microsoft Edge the ability to automatically fall back to Internet Explorer 11, using the Enterprise Mode Site List, for any apps that need backward compatibility.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
index f087763a35..531d4b4564 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
@@ -21,7 +21,7 @@ title: System requirements and language support for Internet Explorer 11 (IE11)
Internet Explorer 11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support.
## Minimum system requirements for IE11
-IE11 is pre-installed on Windows 8.1 and Windows Server 2012 R2 and is listed here for reference. It's also supported on Windows 10, but isn't pre-installed. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/en-us/library/mt156988.aspx).
+IE11 is pre-installed on Windows 8.1 and Windows Server 2012 R2 and is listed here for reference. It's also supported on Windows 10, but isn't pre-installed. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/library/mt156988.aspx).
**Important**
IE11 isn't supported on Windows 8 or Windows Server 2012.
diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
index e3c0f7b0dc..9763adf01d 100644
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@@ -8,7 +8,6 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: TrudyHa
-localizationpriority: high
---
# Appendix: PowerShell (Surface Hub)
@@ -35,7 +34,7 @@ You can check online for updated versions at [Surface Hub device account scripts
What do the scripts do?
- Create device accounts for setups using pure single-forest on-premises (Microsoft Exchange and Skype 2013 and later only) or online (Microsoft Office 365), that are configured correctly for your Surface Hub.
-- Validate existing device accounts for any setup (on-premises, online, or hybrid using Exchange or Lync 2010 or later) to make sure they're compatible with Surface Hub.
+- Validate existing device accounts for any setup (on-premises or online) to make sure they're compatible with Surface Hub.
- Provide a base template for anyone wanting to create their own device account creation or validation scripts.
What do you need in order to run the scripts?
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index aeb2e566ac..25c3cadb31 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -116,8 +116,6 @@ You can check online for updated versions at [Surface Hub device account scripts
Your infrastructure will likely fall into one of three configurations. Which configuration you have will affect how you prepare for device setup.
-
-
- [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md): Your organization’s environment is deployed entirely on Office 365.
- [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md): Your organization has servers that it controls, where Active Directory, Exchange, and Skype for Business (or Lync) are hosted.
- [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md): Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365.
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index fca0089996..489d304b97 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -16,7 +16,7 @@ localizationpriority: high
This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
-If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, or are using Exchange 2010 or Lync 2010, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section.
+If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section.
1. Start a remote PowerShell session from a PC and connect to Exchange.
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index cb9e9ed979..545d0ec9d4 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -16,7 +16,7 @@ localizationpriority: high
This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment.
-If you have a pure, online (O365) deployment, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-os356-ps-scripts) to create device accounts. If you’re using Microsoft Exchange 2010 or Lync 2010, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section.
+If you have a pure, online (O365) deployment, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-os356-ps-scripts) to create device accounts.
1. Start a remote PowerShell session on a PC and connect to Exchange.
diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
index 21af99c93f..b7dd253652 100644
--- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md
+++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
@@ -58,8 +58,7 @@ To boot a Surface device from an alternative boot device, follow these steps:
>**Note:** In addition to an Ethernet adapter, a keyboard must also be connected to the Surface device to enter the preinstallation environment and navigate the deployment wizard.
-
-To support booting from the network in a Windows Preinstallation Environment (WinPE), such as is used in the Microsoft Deployment Toolkit and Configuration Manager, you must add drivers for the Ethernet adapter to WinPE. You can download the drivers for Surface Ethernet adapters from the Microsoft Download Center page for your specific device. For a list of the available downloads for Surface devices, see [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+For Windows 10, version 1511 and later – including the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10, version 1511 – the drivers for Microsoft Surface Ethernet Adapters are present by default. If you are using a deployment solution that uses Windows Preinstallation Environment (WinPE), like the Microsoft Deployment Toolkit, and booting from the network with PXE, ensure that your deployment solution is using the latest version of the Windows ADK.
## Manage MAC addresses with removable Ethernet adapters
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index b2399b5fb2..b88d81df41 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -1,14 +1,20 @@
# [Windows 10 for education](index.md)
## [Change history for Windows 10 for Education](change-history-edu.md)
## [Windows 10 editions for education customers](windows-editions-for-education-customers.md)
-## [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md)
-## [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md)
+## [Setup options for Windows 10](set-up-windows-10.md)
+### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
+### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
+### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
+### [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
## [Get Minecraft Education Edition](get-minecraft-for-education.md)
### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
-## [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md)
-### [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md)
-### [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md)
-### [Take a Test app technical reference (Preview)](take-a-test-app-technical.md)
+## [Take tests in Windows 10 ](take-tests-in-windows-10.md)
+### [Set up Take a Test on a single PC ](take-a-test-single-pc.md)
+### [Set up Take a Test on multiple PCs ](take-a-test-multiple-pcs.md)
+### [Take a Test app technical reference ](take-a-test-app-technical.md)
+## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
-## [Chromebook migration guide](chromebook-migration-guide.md)
\ No newline at end of file
+## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
+## [Chromebook migration guide](chromebook-migration-guide.md)
+
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index cd7ed4a9bd..0d1c19f506 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -12,11 +12,25 @@ author: jdeckerMS
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+
+## RELEASE: Windows 10, version 1607
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
+
+- [Set up Windows 10](set-up-windows-10.md)
+- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
+- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
+- [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
+
+
## July 2016
+
| New or changed topic | Description|
| --- | --- |
| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New |
+|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New |
+
+
## June 2016
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
new file mode 100644
index 0000000000..dcfe03beba
--- /dev/null
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -0,0 +1,1854 @@
+---
+title: Deploy Windows 10 in a school district (Windows 10)
+description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use System Center Configuration Manager, Intune, and Group Policy to manage devices.
+keywords: configure, tools, device, school
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: edu
+ms.sitesec: library
+author: craigash
+---
+
+# Deploy Windows 10 in a school district
+
+**Applies to**
+
+- Windows 10
+
+
+This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft System Center Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system.
+
+## Prepare for district deployment
+
+Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. Just as with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
+
+>**Note** This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management).
+
+### Plan a typical district configuration
+
+As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
+
+
+
+*Figure 1. Typical district configuration for this guide*
+
+A *district* consists of multiple schools, typically at different physical locations. Figure 2 illustrates a typical school configuration within the district that this guide uses.
+
+
+
+*Figure 2. Typical school configuration for this guide*
+
+Finally, each school consists of multiple classrooms. Figure 3 shows the classroom configuration this guide uses.
+
+
+
+*Figure 3. Typical classroom configuration in a school*
+
+This district configuration has the following characteristics:
+
+* It contains one or more admin devices.
+* It contains two or more schools.
+* Each school contains two or more classrooms.
+* Each classroom contains one teacher device.
+* The classrooms connect to each other through multiple subnets.
+* All devices in each classroom connect to a single subnet.
+* All devices have high-speed, persistent connections to each other and to the Internet.
+* All teachers and students have access to Windows Store or Windows Store for Business.
+* You install a 64-bit version of Windows 10 on the admin device.
+* You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
+* You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device.
+ >**Note** In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
+* The devices use Azure AD in Office 365 Education for identity management.
+* If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/).
+* Use [Intune](https://docs.microsoft.com/en-us/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](https://technet.microsoft.com/en-us/library/cc725828.aspx) to manage devices.
+* Each device supports a one-student-per-device or multiple-students-per-device scenario.
+* The devices can be a mixture of different make, model, and processor architecture (32-bit or 64-bit) or be identical.
+* To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment (PXE) boot.
+* The devices can be a mixture of different Windows 10 editions, such as Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education.
+
+Use these characteristics at a minimum as you deploy your schools. If your district deployment is less complex, you may want to review the guidance in [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school).
+
+>**Note** This guide focuses on Intune as the mobile device management (MDM) solution. If you want to use an MDM solution other than Intune, ignore the Intune-specific content in this guide. For each section, contact your MDM provider to determine the features and management capabilities for your institution.
+
+Office 365 Education allows:
+
+* Students and faculty to use Microsoft Office Online to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser.
+* Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students.
+* Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, the administration, and faculty.
+* Teachers to employ Sway to create interactive educational digital storytelling.
+* Students and faculty to use email and calendars, with mailboxes up to 50 GB per user.
+* Faculty to use advanced email features like email archiving and legal hold capabilities.
+* Faculty to help prevent unauthorized users from accessing documents and email by using Microsoft Azure Rights Management.
+* Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center.
+* Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business.
+* Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business.
+* Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites.
+* Students and faculty to use Office 365 Video to manage videos.
+* Students and faculty to use Yammer to collaborate through private social networking.
+* Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices).
+
+For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic).
+
+### How to configure a district
+
+Now that you have the plan (blueprint) for your district and individual schools and classrooms, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge.
+
+The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
+
+You can use MDT as a stand-alone tool or integrate it with System Center Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with System Center Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as System Center Configuration Manager) but result in fully automated deployments.
+
+This guide focuses on LTI deployments to deploy the reference device. You can use ZTI deployments with System Center Configuration Manager or LTI deployments to deploy the reference images to your faculty and student devices. If you want to only use MDT, see [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school).
+
+MDT includes the Deployment Workbench, a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices.
+
+LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section.
+
+The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
+
+ZTI performs fully automated deployments using System Center Configuration Manager and MDT. Although you could use System Center Configuration Manager by itself, using System Center Configuration Manager with MDT provides an easier process for deploying operating systems. MDT works with the operating system deployment feature in System Center Configuration Manager.
+
+The configuration process requires the following devices:
+
+* **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the System Center Configuration Manager Console on this device.
+* **Reference devices.** These are the devices that you will use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices.
+ You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/en-us/windows/view-all).
+* **Faculty and staff devices.** These are the devices that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices.
+* **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them.
+
+The high-level process for deploying and configuring devices within individual classrooms, individual schools, and the district as a whole is as follows and illustrated in Figure 4:
+
+1. Prepare the admin device for use, which includes installing the Windows ADK, MDT, and the Configuration Manager console.
+
+2. On the admin device, create and configure the Office 365 Education subscription that you will use for the district’s classrooms.
+
+3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration).
+
+4. On the admin device, create and configure a Windows Store for Business portal.
+
+5. On the admin device, prepare for management of the Windows 10 devices after deployment.
+
+6. On the reference devices, deploy Windows 10 and the Windows desktop apps on the device, and then capture the reference image from the devices.
+
+7. Import the captured reference images into MDT or System Center Configuration Manager.
+
+8. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
+
+9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration.
+
+
+
+*Figure 4. How district configuration works*
+
+Each step illustrated in Figure 4 directly corresponds to the remaining high-level sections in this guide.
+
+#### Summary
+
+In this district, you looked at the final configuration of your individual classrooms, individual schools, and the district as a whole upon completion of this guide. You also learned the high-level steps for deploying the faculty and student devices in your district.
+
+## Select deployment and management methods
+
+Now that you know what a typical district looks like and how to configure the devices in your district, you need to make a few decisions. You must select the methods you’ll use to deploy Windows 10 to the faculty and student devices in your district. Next, you must select the method you’ll use to manage configuration settings for your users and devices. Finally, you must select the method you’ll use to manage Windows desktop apps, Windows Store apps, and software updates.
+
+### Typical deployment and management scenarios
+
+Before you select the deployment and management methods, you need to review the typical deployment and management scenarios (the cloud-centric scenario and the on-premises and cloud scenario). Table 1 lists the scenario feature and the corresponding products and technologies for that feature in each scenario.
+
+|Scenario feature |Cloud-centric|On-premises and cloud|
+|---|---|---|
+|Identity management | Azure AD (stand-alone or integrated with on-premises AD DS) | AD DS integrated with Azure AD |
+|Windows 10 deployment | MDT only | System Center Configuration Manager with MDT |
+|Configuration setting management | Intune | Group Policy
Intune|
+|App and update management | Intune |System Center Configuration Manager
Intune|
+
+*Table 1. Deployment and management scenarios*
+
+These scenarios assume the need to support:
+
+* Institution-owned and personal devices.
+* AD DS domain-joined and nondomain-joined devices.
+
+Some constraints exist in these scenarios. As you select the deployment and management methods for your device, keep the following constraints in mind:
+
+* You can use Group Policy or Intune to manage configuration settings on a device but not both.
+* You can use System Center Configuration Manager or Intune to manage apps and updates on a device but not both.
+* You cannot manage multiple users on a device with Intune if the device is AD DS domain joined.
+
+Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district.
+
+### Select the deployment methods
+
+To deploy Windows 10 and your apps, you can use MDT by itself or System Center Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
+
+
| Method | +Description | +
|---|---|
| MDT | +MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Windows Store apps and software updates.
The advantages of this method are that: +
The disadvantages of this method are that it: + +
|
+
| System Center Configuration Manager | +System Center Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use System Center Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Windows Store apps and software updates as well as provide antivirus and antimalware protection.
The advantages of this method are that: +
The disadvantages of this method are that it: +
|
+
| Method | +Description | +
|---|---|
| Group Policy | +Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.
The advantages of this method include: +
The disadvantages of this method are that it: +
|
+
| Intune | +Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
The advantages of this method are that: +
The disadvantages of this method are that it: +
|
+
| Selection | +Management method | +
|---|---|
| System Center Configuration Manager | +System Center Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.
The advantages of this method are that: +
The disadvantages of this method are that it: +
|
+
| Intune | +Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
The advantages of this method are that: +
The disadvantages of this method are that it: +
|
+
| System Center Configuration Manager and Intune (hybrid) | +System Center Configuration Manager and Intune together extend System Center Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both System Center Configuration Manager and Intune.
The advantages of this method are that: +
The disadvantages of this method are that it: +
|
+
| Method | +Description and reason to select this method | + +
|---|---|
| Windows Deployment Services | +This method: +
Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server. + |
+
| Bootable media | +This method: +
Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media. + |
+
| Deployment media | +This method: +
Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk. + |
+
| Task | +Description | + +
|---|---|
| 1. Import operating systems | +Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench). | +
| 2. Import device drivers | +Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat. +Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench). + |
+
| 3. Create MDT applications for Windows Store apps | +Create an MDT application for each Windows Store app you want to deploy. You can deploy Windows Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10. + Prior to sideloading the .appx files, obtain the Windows Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Windows Store, you will need to obtain the .appx files by performing one of the following tasks: +
If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Windows Store or Windows Store for Business. +If you have Intune or System Center Configuration Manager, you can deploy Windows Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using System Center Configuration Manager](#deploy-and-manage-apps-by-using-system-center-configuration-manager) sections. This method provides granular deployment of Windows Store apps, and you can use it for ongoing management of Windows Store apps. This is the preferred method of deploying and managing Windows Store apps. +In addition, you must prepare your environment for sideloading Windows Store apps. For more information about how to: +
|
+
| 4. Create MDT applications for Windows desktop apps | +You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them. +To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx). +If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps. + +**Note** You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) section. + +For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx). + + |
+
| 5. Create task sequences | +You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will: +
Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench). + + |
+
| 6. Update the deployment share | +Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services. +For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench). + + |
+
| Recommendation | +Description | + +
|---|---|
| Use of Microsoft accounts | +You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts. + +**Note** Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices. +**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option. +**Intune.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. + + |
+
| Restrict the local administrator accounts on the devices | +Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices. +**Group Policy.** Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item. +**Intune.** Not available. + + |
+
| Manage the built-in administrator account created during device deployment | +When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it. +**Group Policy.** To rename the built-in Administrator account, use the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc747484.aspx). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/en-us/library/jj852165.aspx). +**Intune.** Not available. + + |
+
| Control Windows Store access | +You can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise. +**Group Policy.** To disable the Windows Store app, use the **Turn off the Store Application** group policy setting. To prevent Windows Store apps from receiving updates, use the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP). +**Intune.** To enable or disable Windows Store access, use the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration policy**. + + |
+
| Use of Remote Desktop connections to devices | +Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices. +**Group Policy.** To enable or disable Remote Desktop connections to devices, use the **Allow Users to connect remotely using Remote Desktop** setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections. +**Intune.** Not available. + + |
+
| Use of camera | +A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices. +**Group Policy.** Not available. +**Intune.** To enable or disable the camera, use the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. + + |
+
| Use of audio recording | +Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices. +**Group Policy.** To disable the Sound Recorder app, use the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](https://technet.microsoft.com/en-us/library/ee791894.aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/en-us/library/ee791899.aspx). +**Intune.** To enable or disable audio recording, use the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy. + + |
+
| Use of screen capture | +Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices. +**Group Policy.** Not available. +**Intune.** To enable or disable screen capture, use the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy. + + |
+
| Use of location services | +Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices. +**Group Policy.** To enable or disable location services, use the **Turn off location** group policy setting in User Configuration\Windows Components\Location and Sensors. +**Intune.** To enable or disable location services, use the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. + + |
+
| Changing wallpaper | +Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices. +**Group Policy.** To configure the wallpaper, use the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop. +**Intune.** Not available. + + |
+
| Task and resources | +Monthly | +New semester or academic year | +As required | +
|---|---|---|---|
| Verify that Windows Update is active and current with operating system and software updates. +For more information about completing this task when you have: +
|
+x | +x | +x | +
| Verify that Windows Defender is active and current with malware signatures. +For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/en-us/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02) and [Updating Windows Defender](https://support.microsoft.com/en-us/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03). + |
+x | +x | +x | +
| Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found. +For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/en-us/help/17228/windows-protect-my-pc-from-viruses). + |
+x | +x | +x | +
| Download and approve updates for Windows 10, apps, device driver, and other software. +For more information, see: +
|
+x | +x | +x | +
| Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business). +For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing). + |
++ | x | +x | +
| Refresh the operating system and apps on devices. +For more information about completing this task, see the following resources: +
|
++ | x | +x | +
| Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum. +For more information, see: +
|
++ | x | +x | +
| Install new or update existing Windows Store apps used in the curriculum. +Windows Store apps are automatically updated from Windows Store. The menu bar in the Windows Store app shows whether any Windows Store app updates are available for download. +You can also deploy Windows Store apps directly to devices by using Intune, System Center Configuration Manager, or both in a hybrid configuration. For more information, see: +
|
++ | x | +x | +
| Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure). +For more information about how to: +
|
++ | x | +x | +
| Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure). +For more information about how to: +
|
++ | x | +x | +
| Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure). +For more information about how to: +
|
++ | x | +x | +
| Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure). +For more information about how to: +
|
++ | x | +x | +
| Create or modify security groups, and manage group membership in Office 365. +For more information about how to: +
|
++ | x | +x | +
| Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365. +For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](https://technet.microsoft.com/library/bb124513.aspx) and [Create, edit, or delete a security group](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB). + |
++ | x | +x | +
| Install new student devices. +Follow the same steps you followed in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. + |
++ | + | x | +
Windows Settings > Security Settings > Local Policies > Security Options
Accounts: Block Microsoft accounts
Enabled
Accounts: Block Microsoft accounts
**Note** Microsoft accounts can still be used in apps.
Enabled
Interactive logon: Do not display last user name
Enabled
Interactive logon: Sign-in last interactive user automatically after a system-initiated restart
Disabled
+Optionally, you can click **Browse** to change the default output location. + +13. Click **Next**. + +14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + +16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: + + - Shared network folder + + - SharePoint site + + - Removable media (USB/SD) + + +**Next step** +- [Apply the provisioning package to a PC](#apply-package) + +## Apply package + +**During initial setup, from a USB drive** +1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. + +  + +2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. + +  + +3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. + +  + +4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. + +  + +5. Select **Yes, add it**. + +  + +6. Read and accept the Microsoft Software License Terms. + +  + +7. Select **Use Express settings**. + +  + +8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**. + +  + +9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**. + +  + +10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive. + +  + + +**After setup, from a USB drive, network folder, or SharePoint site** + +On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install. + + + + + +## Learn more + +- [Develop Universal Windows Education apps](https://msdn.microsoft.com/windows/uwp/apps-for-education/index) + +- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651) + +- Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921) + +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922) + + diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md new file mode 100644 index 0000000000..fe7767a997 --- /dev/null +++ b/education/windows/set-up-windows-10.md @@ -0,0 +1,37 @@ +--- +title: Provisioning options for Windows 10 +description: Decide which option for setting up Windows 10 is right for you. +keywords: shared cart, shared PC, school +ms.prod: w10 +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +author: jdeckerMS +--- + +# Provisioning options for Windows 10 +**Applies to:** + +- Windows 10 + +You have two tools to choose from to set up PCs for your classroom: **Set up School PCs** app and the **Provision school devices** option in Windows Imaging and Configuration Designer (ICD). Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account). The following diagram compares the tools. + + + + +## In this section + +- [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) +- [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md) +- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md) +- [Provision student PCs with apps](set-up-students-pcs-with-apps.md) + + +## Related topics + +[Take tests in Windows 10](take-tests-in-windows-10.md) + +[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) + + + diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index d10f638e00..7e3ed9ca0b 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -9,13 +9,12 @@ ms.pagetype: edu author: jdeckerMS --- -# Take a Test app technical reference (Preview) +# Take a Test app technical reference **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] Take a Test is an app that locks down the PC and displays an online assessment web page. @@ -32,7 +31,9 @@ When running above the lock screen: - The hardware print screen button is disabled -- Content within the app will show up as black in screen capturing/sharing software Copy/paste is disabled +- Content within the app will show up as black in screen capturing/sharing software + +- System clipboard is cleared - Web apps can query the processes currently running in the user’s device @@ -79,5 +80,7 @@ When Take a Test is running, the following functionality is available to student - Alt+F4 (**Take a Test** will restart if the student is using a dedicated test account) +## Learn more +[Take a Test API](https://msdn.microsoft.com/en-us/windows/uwp/apps-for-education/take-a-test-api) diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index d0d6052781..0110e7d52c 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -9,14 +9,12 @@ ms.pagetype: edu author: jdeckerMS --- -# Set up Take a Test on multiple PCs (Preview) +# Set up Take a Test on multiple PCs **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: - A Microsoft Edge browser window opens, showing just the test and nothing else. diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index fece24bac1..7c05de544c 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -9,14 +9,12 @@ ms.pagetype: edu author: jdeckerMS --- -# Set up Take a Test on a single PC (Preview) +# Set up Take a Test on a single PC **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: - A Microsoft Edge browser window opens, showing just the test and nothing else. diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index c0de33cc5b..6bf51bf7b2 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -9,14 +9,12 @@ ms.pagetype: edu author: jdeckerMS --- -# Take tests in Windows 10 (Preview) +# Take tests in Windows 10 **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: - **Take a Test** shows just the test and nothing else. diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 97f0a04fcb..788c6dd819 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -9,13 +9,12 @@ ms.pagetype: edu author: jdeckerMS --- -# Use the Set up School PCs app (Preview) +# Use the Set up School PCs app **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index 587bb000ba..d75bd0ebe8 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -47,8 +47,10 @@ ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) ## [Windows 10 upgrade paths](windows-10-upgrade-paths.md) ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md) +## [Provisioning packages for Windows 10](provisioning-packages.md) +### [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) +### [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md) ## [Deploy Windows To Go in your organization](deploy-windows-to-go.md) -## [Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) ## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) ## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md) ## [Volume Activation [client]](volume-activation-windows-10.md) diff --git a/windows/deploy/activate-using-active-directory-based-activation-client.md b/windows/deploy/activate-using-active-directory-based-activation-client.md index dbf9a5a617..cd91b2b614 100644 --- a/windows/deploy/activate-using-active-directory-based-activation-client.md +++ b/windows/deploy/activate-using-active-directory-based-activation-client.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: greg-lindsay +localizationpriority: medium --- # Activate using Active Directory-based activation diff --git a/windows/deploy/activate-using-key-management-service-vamt.md b/windows/deploy/activate-using-key-management-service-vamt.md index 9681860156..3fc787f902 100644 --- a/windows/deploy/activate-using-key-management-service-vamt.md +++ b/windows/deploy/activate-using-key-management-service-vamt.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: jdeckerMS +localizationpriority: medium --- # Activate using Key Management Service diff --git a/windows/deploy/activate-windows-10-clients-vamt.md b/windows/deploy/activate-windows-10-clients-vamt.md index 2d77f355dc..c110f8233c 100644 --- a/windows/deploy/activate-windows-10-clients-vamt.md +++ b/windows/deploy/activate-windows-10-clients-vamt.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: jdeckerMS +localizationpriority: medium --- # Activate clients running Windows 10 diff --git a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md index 39133a9d8c..bcf9e7aa13 100644 --- a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: jdeckerMS +localizationpriority: medium --- # Appendix: Information sent to Microsoft during activation **Applies to** diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index 737b50de59..3d0e742f97 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -11,10 +11,18 @@ author: greg-lindsay # Change history for Deploy Windows 10 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## RELEASE: Windows 10, version 1607 + +The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: + +- [Provisioning packages for Windows 10](provisioning-packages.md) +- [Provision PCs with apps and certificates for initial deployment](provision-pcs-with-apps-and-certificates.md) +- [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) + ## July 2016 | New or changed topic | Description | |----------------------|-------------| -| [Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) | New | +| [Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) | New | ## June 2016 | New or changed topic | Description | @@ -44,12 +52,3 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc - [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md) - [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md) - [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md) - - - - - - - - - diff --git a/windows/deploy/images/ICD.png b/windows/deploy/images/ICD.png new file mode 100644 index 0000000000..9cfcb845df Binary files /dev/null and b/windows/deploy/images/ICD.png differ diff --git a/windows/deploy/images/ICDstart-option.PNG b/windows/deploy/images/ICDstart-option.PNG new file mode 100644 index 0000000000..1ba49bb261 Binary files /dev/null and b/windows/deploy/images/ICDstart-option.PNG differ diff --git a/windows/deploy/images/adk-install.png b/windows/deploy/images/adk-install.png new file mode 100644 index 0000000000..c087d3bae5 Binary files /dev/null and b/windows/deploy/images/adk-install.png differ diff --git a/windows/deploy/images/check_blu.png b/windows/deploy/images/check_blu.png new file mode 100644 index 0000000000..d5c703760f Binary files /dev/null and b/windows/deploy/images/check_blu.png differ diff --git a/windows/deploy/images/checkmark.png b/windows/deploy/images/checkmark.png index 04cc421e12..f9f04cd6bd 100644 Binary files a/windows/deploy/images/checkmark.png and b/windows/deploy/images/checkmark.png differ diff --git a/windows/deploy/images/choose-package.png b/windows/deploy/images/choose-package.png new file mode 100644 index 0000000000..2bf7a18648 Binary files /dev/null and b/windows/deploy/images/choose-package.png differ diff --git a/windows/deploy/images/connect-aad.png b/windows/deploy/images/connect-aad.png new file mode 100644 index 0000000000..8583866165 Binary files /dev/null and b/windows/deploy/images/connect-aad.png differ diff --git a/windows/deploy/images/crossmark.png b/windows/deploy/images/crossmark.png index 2b267dc802..69432ff71c 100644 Binary files a/windows/deploy/images/crossmark.png and b/windows/deploy/images/crossmark.png differ diff --git a/windows/deploy/images/express-settings.png b/windows/deploy/images/express-settings.png new file mode 100644 index 0000000000..99e9c4825a Binary files /dev/null and b/windows/deploy/images/express-settings.png differ diff --git a/windows/deploy/images/icd-simple-edit.png b/windows/deploy/images/icd-simple-edit.png new file mode 100644 index 0000000000..3608dc18f3 Binary files /dev/null and b/windows/deploy/images/icd-simple-edit.png differ diff --git a/windows/deploy/images/icd-simple.PNG b/windows/deploy/images/icd-simple.PNG new file mode 100644 index 0000000000..7ae8a1728b Binary files /dev/null and b/windows/deploy/images/icd-simple.PNG differ diff --git a/windows/deploy/images/license-terms.png b/windows/deploy/images/license-terms.png new file mode 100644 index 0000000000..8dd34b0a18 Binary files /dev/null and b/windows/deploy/images/license-terms.png differ diff --git a/windows/deploy/images/oobe.jpg b/windows/deploy/images/oobe.jpg new file mode 100644 index 0000000000..53a5dab6bf Binary files /dev/null and b/windows/deploy/images/oobe.jpg differ diff --git a/windows/deploy/images/package.png b/windows/deploy/images/package.png new file mode 100644 index 0000000000..f5e975e3e9 Binary files /dev/null and b/windows/deploy/images/package.png differ diff --git a/windows/deploy/images/prov.jpg b/windows/deploy/images/prov.jpg new file mode 100644 index 0000000000..1593ccb36b Binary files /dev/null and b/windows/deploy/images/prov.jpg differ diff --git a/windows/deploy/images/setupmsg.jpg b/windows/deploy/images/setupmsg.jpg new file mode 100644 index 0000000000..12935483c5 Binary files /dev/null and b/windows/deploy/images/setupmsg.jpg differ diff --git a/windows/deploy/images/sign-in-prov.png b/windows/deploy/images/sign-in-prov.png new file mode 100644 index 0000000000..55c9276203 Binary files /dev/null and b/windows/deploy/images/sign-in-prov.png differ diff --git a/windows/deploy/images/trust-package.png b/windows/deploy/images/trust-package.png new file mode 100644 index 0000000000..8a293ea4da Binary files /dev/null and b/windows/deploy/images/trust-package.png differ diff --git a/windows/deploy/images/uwp-dependencies.PNG b/windows/deploy/images/uwp-dependencies.PNG new file mode 100644 index 0000000000..4e2563169f Binary files /dev/null and b/windows/deploy/images/uwp-dependencies.PNG differ diff --git a/windows/deploy/images/uwp-family.PNG b/windows/deploy/images/uwp-family.PNG new file mode 100644 index 0000000000..bec731eec4 Binary files /dev/null and b/windows/deploy/images/uwp-family.PNG differ diff --git a/windows/deploy/images/uwp-license.PNG b/windows/deploy/images/uwp-license.PNG new file mode 100644 index 0000000000..ccb5cf7cf4 Binary files /dev/null and b/windows/deploy/images/uwp-license.PNG differ diff --git a/windows/deploy/images/who-owns-pc.png b/windows/deploy/images/who-owns-pc.png new file mode 100644 index 0000000000..d3ce1def8d Binary files /dev/null and b/windows/deploy/images/who-owns-pc.png differ diff --git a/windows/deploy/index.md b/windows/deploy/index.md index c36f030dfd..504b8b4dc8 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -15,7 +15,6 @@ Learn about deploying Windows 10 for IT professionals. |Topic |Description | |------|------------| -|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). | |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. | |[Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) |With Upgrade Analytics, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. | @@ -24,13 +23,15 @@ Learn about deploying Windows 10 for IT professionals. |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. | |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. | +| [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) | Create a provisioning package to apply commonly used settings to a PC running Windows 10. | +| [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md) | Create a provisioning package to add apps and certificates to a PC running Windows 10. | |[Windows 10 upgrade paths](windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. | |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | -|[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) |Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. | |[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. | |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md) |Sideload line-of-business apps in Windows 10. | |[Volume Activation [client]](volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. | |[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. | +|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). | ## Related topics - [Windows 10 and Windows 10 Mobile](../index.md) diff --git a/windows/deploy/monitor-activation-client.md b/windows/deploy/monitor-activation-client.md index 26c8257cc3..5b49e544c2 100644 --- a/windows/deploy/monitor-activation-client.md +++ b/windows/deploy/monitor-activation-client.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: greg-lindsay +localizationpriority: medium --- # Monitor activation diff --git a/windows/deploy/plan-for-volume-activation-client.md b/windows/deploy/plan-for-volume-activation-client.md index d5ed360f3e..3e4a114155 100644 --- a/windows/deploy/plan-for-volume-activation-client.md +++ b/windows/deploy/plan-for-volume-activation-client.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: jdeckerMS +localizationpriority: medium --- # Plan for volume activation diff --git a/windows/deploy/provision-pcs-for-initial-deployment.md b/windows/deploy/provision-pcs-for-initial-deployment.md new file mode 100644 index 0000000000..d3692b2073 --- /dev/null +++ b/windows/deploy/provision-pcs-for-initial-deployment.md @@ -0,0 +1,133 @@ +--- +title: Provision PCs with common settings (Windows 10) +description: Create a provisioning package to apply common settings to a PC running Windows 10. +ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E +keywords: ["runtime provisioning", "provisioning package"] +ms.prod: W10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +localizationpriority: medium +--- + +# Provision PCs with common settings for initial deployment (simple provisioning) + + +**Applies to** + +- Windows 10 + +This topic explains how to create and apply a simple provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home. + +You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. + +## Advantages +- You can configure new devices without reimaging. + +- Works on both mobile and desktop devices. + +- No network connectivity required. + +- Simple to apply. + +[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) + +## What does simple provisioning do? + +In a simple provisioning package, you can configure: + +- Device name +- Upgraded product edition +- Wi-Fi network +- Active Directory enrollment +- Local administrator account + +Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. To learn about provisioning packages that include more than the settings in a simple provisioning package, see [Provision PCs with apps and certificates](provision-pcs-with-apps-and-certificates.md). + +> [!TIP] +> Use simple provisioning to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. + + + +## Create the provisioning package + +Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) + +1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). + +2. Click **Simple provisioning**. + +  + +3. Name your project and click **Finish**. The screens for simple provisioning will walk you through the following steps. + +  + +4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length. + +5. (*Optional*) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to. + - Pro to Education + - Pro to Enterprise + - Enterprise to Education + +6. Click **Set up network**. + +7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network. + +8. Click **Enroll into Active Directory**. + +9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (*Optional*) Enter a user name and password to create a local administrator account. + + > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: + - Use a least-privileged domain account to join the device to the domain. + - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. + - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. + +10. Click **Finish**. + +11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package. + +12. Click **Create**. + +> [!IMPORTANT] +> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +## Apply package + +1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. + +  + +2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. + +  + +3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. + +  + +4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. + +  + +5. Select **Yes, add it**. + +  + + + +## Learn more +- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651) + +- Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921) + +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922) + + + + + + + + + diff --git a/windows/deploy/provision-pcs-with-apps-and-certificates.md b/windows/deploy/provision-pcs-with-apps-and-certificates.md new file mode 100644 index 0000000000..936f1b6f73 --- /dev/null +++ b/windows/deploy/provision-pcs-with-apps-and-certificates.md @@ -0,0 +1,227 @@ +--- +title: Provision PCs with apps and certificates (Windows 10) +description: Create a provisioning package to apply settings to a PC running Windows 10. +ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E +keywords: ["runtime provisioning", "provisioning package"] +ms.prod: W10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +localizationpriority: medium +--- + +# Provision PCs with apps and certificates for initial deployment (advanced provisioning) + + +**Applies to** + +- Windows 10 + + +This topic explains how to create and apply a provisioning package that contains apps and certificates to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. + +You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. + +## Advantages +- You can configure new devices without reimaging. + +- Works on both mobile and desktop devices. + +- No network connectivity required. + +- Simple to apply. + +[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) + +## Create the provisioning package + +Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) + +1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). + +2. Click **Advanced provisioning**. + +  + +3. Name your project and click **Next**. + +3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**. + + +### Add a desktop app to your package + +1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**. + +2. Add all the files required for the app install, including the data files and the installer. + +3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option. + +> [!NOTE] +> If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/library/windows/hardware/mt703295%28v=vs.85%29.aspx). + + +### Add a universal app to your package + +Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](../manage/acquire-apps-windows-store-for-business.md), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. + +1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. + +2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page. + +  + +3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). + +4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. + +  + +5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Windows Store for Business, you generate the license for the app on the app's download page. + +  + +[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md) + +> [!NOTE] +> Removing a provisioning package will not remove any apps installed by device context in that provisioning package. + + + +### Add a certificate to your package + +1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. + +2. Enter a **CertificateName** and then click **Add**. + +2. Enter the **CertificatePassword**. + +3. For **CertificatePath**, browse and select the certificate to be used. + +4. Set **ExportCertificate** to **False**. + +5. For **KeyLocation**, select **Software only**. + + +### Add other settings to your package + +For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012). + +### Build your package + +1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. + +2. Read the warning that project files may contain sensitive information, and click **OK**. +> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +3. On the **Export** menu, click **Provisioning package**. + +1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** + +10. Set a value for **Package Version**. + + > [!TIP] + > You can make changes to existing packages and change the version number to update previously applied packages. + +11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. + + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. + + **Important** + We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. + +12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+Optionally, you can click **Browse** to change the default output location. + +13. Click **Next**. + +14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+ - Shared network folder
+
+ - SharePoint site
+
+ - Removable media (USB/SD)
+
+ - Email
+
+ - USB tether (mobile only)
+
+ - NFC (mobile only)
+
+
+
+## Apply package
+
+### During initial setup, from a USB drive
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+ 
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+ 
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+ 
+
+5. Select **Yes, add it**.
+
+ 
+
+6. Read and accept the Microsoft Software License Terms.
+
+ 
+
+7. Select **Use Express settings**.
+
+ 
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+ 
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+ 
+
+10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+ 
+
+
+### After setup, from a USB drive, network folder, or SharePoint site
+
+On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install.
+
+
+
+## Learn more
+- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
+
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+
+
+
+
+
diff --git a/windows/deploy/provisioning-packages.md b/windows/deploy/provisioning-packages.md
new file mode 100644
index 0000000000..4630340ba6
--- /dev/null
+++ b/windows/deploy/provisioning-packages.md
@@ -0,0 +1,141 @@
+---
+title: Provisioning packages (Windows 10)
+description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: mobile
+author: jdeckerMS
+---
+
+# Provisioning packages for Windows 10
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
+
+With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+
+Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
+
+## New in Windows 10, Version 1607
+
+The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. Windows ICD for Windows 10, Version 1607, simplifies common provisioning scenarios.
+
+
+
+Windows ICD in Windows 10, Version 1607, supports the following scenarios for IT administrators:
+
+* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner.
+
+ > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md)
+
+* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices.
+
+ > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](provision-pcs-with-apps-and-certificates.md)
+
+* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include:
+
+ * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment)
+ * AirWatch (password-string based enrollment)
+ * Mobile Iron (password-string based enrollment)
+ * Other MDMs (cert-based enrollment)
+
+> [!NOTE]
+> Windows ICD in Windows 10, Version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index).
+
+## Benefits of provisioning packages
+
+
+Provisioning packages let you:
+
+- Quickly configure a new device without going through the process of installing a new image.
+
+- Save time by configuring multiple devices using one provisioning package.
+
+- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure.
+
+- Set up a device without the device having network connectivity.
+
+Provisioning packages can be:
+
+- Installed using removable media such as an SD card or USB flash drive.
+
+- Attached to an email.
+
+- Downloaded from a network share.
+
+## What you can configure
+
+
+The following table provides some examples of what can be configured using provisioning packages.
+
+| Customization options | Examples |
+|--------------------------|-----------------------------------------------------------------------------------------------|
+| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters |
+| Applications | Windows apps, line-of-business applications |
+| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* |
+| Certificates | Root certification authority (CA), client certificates |
+| Connectivity profiles | Wi-Fi, proxy settings, Email |
+| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
+| Data assets | Documents, music, videos, pictures |
+| Start menu customization | Start menu layout, application pinning |
+| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on |
+\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices.
+
+
+For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
+
+## Creating a provisioning package
+
+
+With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must [install the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
+
+When you run ADKsetup.exe for Windows 10, version 1607, select the following feature from the **Select the features you want to install** dialog box:
+
+- **Configuration Designer**
+
+
+
+> [!NOTE]
+> In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features.
+
+After you install Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
+
+## Applying a provisioning package to a device
+
+
+Provisioning packages can be applied both during image deployment and during runtime. For information on how to apply a provisioning package to a Windows 10-based device, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
+
+## Learn more
+
+
+[Windows 10: Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533708)
+
+## Related topics
+
+- [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md)
+- [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md)
+- [Configure devices without MDM](../manage/configure-devices-without-mdm.md)
+- [Set up a shared or guest PC with Windows 10](../manage/set-up-shared-or-guest-pc.md)
+- [Configure devices without MDM](../manage/configure-devices-without-mdm.md)
+- [Set up a device for anyone to use (kiosk mode)](../manage/set-up-a-device-for-anyone-to-use.md)
+- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](../manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+- [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain)
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deploy/use-the-volume-activation-management-tool-client.md b/windows/deploy/use-the-volume-activation-management-tool-client.md
index 1e4f5c32b2..6eed17adf5 100644
--- a/windows/deploy/use-the-volume-activation-management-tool-client.md
+++ b/windows/deploy/use-the-volume-activation-management-tool-client.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: jdeckerMS
+localizationpriority: medium
---
# Use the Volume Activation Management Tool
diff --git a/windows/deploy/volume-activation-windows-10.md b/windows/deploy/volume-activation-windows-10.md
index eda56e2651..f1bda40ad4 100644
--- a/windows/deploy/volume-activation-windows-10.md
+++ b/windows/deploy/volume-activation-windows-10.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: jdeckerMS
+localizationpriority: medium
---
# Volume Activation for Windows 10
diff --git a/windows/deploy/windows-10-edition-upgrades.md b/windows/deploy/windows-10-edition-upgrades.md
index cbc6ee73c5..ab1e629231 100644
--- a/windows/deploy/windows-10-edition-upgrades.md
+++ b/windows/deploy/windows-10-edition-upgrades.md
@@ -17,17 +17,22 @@ author: greg-lindsay
With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md).
-The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer.
+The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
+
+X = unsupported
+✔ (green) = supported; reboot required
+✔ (blue) = supported; no reboot required.
+
|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise |
|-------|-----------|-----------------|----------------|-----------------|----------------|--------|
-| Using mobile device management (MDM) | | | | | | |
-| Using a provisioning package | | | | | | |
-| Using a command-line tool | | | | | | |
-| Entering a product key manually | | | | | | |
+| Using mobile device management (MDM) | | | | | | |
+| Using a provisioning package | | | | | | |
+| Using a command-line tool | | | | | | |
+| Entering a product key manually | | | | | | |
| Purchasing a license from the Windows Store | | | | | | |
-**Note**
Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
+>**Note**: Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
## Upgrade using mobile device management (MDM)
- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](http://go.microsoft.com/fwlink/p/?LinkID=690907).
diff --git a/windows/deploy/windows-10-upgrade-paths.md b/windows/deploy/windows-10-upgrade-paths.md
index 2503ea6a25..7ee695086b 100644
--- a/windows/deploy/windows-10-upgrade-paths.md
+++ b/windows/deploy/windows-10-upgrade-paths.md
@@ -31,6 +31,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
-After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
+After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
## Add Desktop apps
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.
- The **Automatically Generate Executable Rules** wizard opens, letting you create EDP-protected app polices by analyzing the files within a specific folder.
+ The **Automatically Generate Executable Rules** wizard opens, letting you create WIP-protected app polices by analyzing the files within a specific folder.
3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
- You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
+ You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
4. Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
- This name should be easily recognizable, such as *EDP_DesktopApps_Rules*.
+ This name should be easily recognizable, such as *WIP_DesktopApps_Rules*.
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
>**Important**
You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
- >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+ >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
@@ -117,12 +115,12 @@ After saving the policy, you’ll need to deploy it to your employee’s devices
15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
- After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
+ After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
##Related topics
-- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
-- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
-- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
+- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
+- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
+- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
diff --git a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
index fc07133c99..69108c1fcc 100644
--- a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
diff --git a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
index f5f2edf9d6..11b782d3f8 100644
--- a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device.
diff --git a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
index f72093bb1e..f567285c1b 100644
--- a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
diff --git a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md
index f6dcdfddf4..d70e138887 100644
--- a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md
+++ b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
diff --git a/windows/keep-secure/basic-firewall-policy-design.md b/windows/keep-secure/basic-firewall-policy-design.md
index 3863b0cf74..bbc34eda26 100644
--- a/windows/keep-secure/basic-firewall-policy-design.md
+++ b/windows/keep-secure/basic-firewall-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization.
diff --git a/windows/keep-secure/boundary-zone-gpos.md b/windows/keep-secure/boundary-zone-gpos.md
index 66865b93a6..550aa7e934 100644
--- a/windows/keep-secure/boundary-zone-gpos.md
+++ b/windows/keep-secure/boundary-zone-gpos.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section.
diff --git a/windows/keep-secure/boundary-zone.md b/windows/keep-secure/boundary-zone.md
index b44e15fdc1..da0878002d 100644
--- a/windows/keep-secure/boundary-zone.md
+++ b/windows/keep-secure/boundary-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
@@ -60,4 +60,4 @@ The boundary zone GPO for devices running at least Windows Server 2008 should i
>**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
-**Next: **[Encryption Zone](encryption-zone.md)
+**Next:**[Encryption Zone](encryption-zone.md)
diff --git a/windows/keep-secure/certificate-based-isolation-policy-design-example.md b/windows/keep-secure/certificate-based-isolation-policy-design-example.md
index 8b5e59db2e..0c3612bef6 100644
--- a/windows/keep-secure/certificate-based-isolation-policy-design-example.md
+++ b/windows/keep-secure/certificate-based-isolation-policy-design-example.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
diff --git a/windows/keep-secure/certificate-based-isolation-policy-design.md b/windows/keep-secure/certificate-based-isolation-policy-design.md
index 8d0483f776..6a1a244f5c 100644
--- a/windows/keep-secure/certificate-based-isolation-policy-design.md
+++ b/windows/keep-secure/certificate-based-isolation-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index c3532cc64d..62c0c22e26 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -12,14 +12,29 @@ author: brianlic-msft
# Change history for Keep Windows 10 secure
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## RELEASE: Windows 10, version 1607
+
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
+
+- [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
+- [Remote Credential Guard](remote-credential-guard.md)
+- [Windows Defender Offline in Windows 10](windows-defender-offline.md)
+- [Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)
+- [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)
+- [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)
+- [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)
+- [Detect and block Potentially Unwanted Applications](enable-pua-windows-defender-for-windows-10.md)
+
+
## July 2016
|New or changed topic | Description |
|----------------------|-------------|
+|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated various topics throughout this section for new name and new UI in Microsoft Intune and System Center Configuration Manager. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New |
|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New |
-|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New |
-|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New |
+|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |New |
+|[Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |New |
|[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (multiple topics) | Updated |
|[Device Guard deployment guide](device-guard-deployment-guide.md) (multiple topics) | Updated |
@@ -28,7 +43,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
|New or changed topic | Description |
|----------------------|-------------|
-|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. |
+|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added an update about needing to reconfigure your Windows Information Protection app rules after delivery of the June service update. |
| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New |
| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics |
| [Windows security baselines](windows-security-baselines.md) | New |
@@ -40,7 +55,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Changed Internet Explorer to Microsoft Edge |
| [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. |
| [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content |
-|[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Updated info based on changes to the features and functionality.|
+|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated info based on changes to the features and functionality.|
| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview |
|[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (mutiple topics) | New |
@@ -56,7 +71,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
|New or changed topic | Description |
|----------------------|-------------|
|[Requirements to use AppLocker](requirements-to-use-applocker.md) |Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 Technical Preview is required to manage AppLocker by using Group Policy.|
-|[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) |Added pre-release content about how to set up and deploy enterprise data protection (EDP) in an enterprise environment.|
+|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Added pre-release content about how to set up and deploy Windows Information Protection (WIP) in an enterprise environment.|
## February 2016
diff --git a/windows/keep-secure/change-rules-from-request-to-require-mode.md b/windows/keep-secure/change-rules-from-request-to-require-mode.md
index 156957d053..747345df41 100644
--- a/windows/keep-secure/change-rules-from-request-to-require-mode.md
+++ b/windows/keep-secure/change-rules-from-request-to-require-mode.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain.
diff --git a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md
index 979ef0e243..af8be53831 100644
--- a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md
+++ b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules.
diff --git a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md
index a3cd9303ca..5385c20f4d 100644
--- a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
diff --git a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
index f954a6f45e..996a84ad21 100644
--- a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).
diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md
index 898aff61c0..93506e5368 100644
--- a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md
index 8bf35ebe8e..aba8c91407 100644
--- a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md
index 41375ddbad..4533b51003 100644
--- a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
diff --git a/windows/keep-secure/checklist-creating-group-policy-objects.md b/windows/keep-secure/checklist-creating-group-policy-objects.md
index b846638c4e..207e94a1a5 100644
--- a/windows/keep-secure/checklist-creating-group-policy-objects.md
+++ b/windows/keep-secure/checklist-creating-group-policy-objects.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group.
diff --git a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md
index 16681cba2a..bf0e277be4 100644
--- a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md
+++ b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This checklist includes tasks for creating firewall rules in your GPOs.
diff --git a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md
index 22b8d892c8..9187d83a88 100644
--- a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md
+++ b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This checklist includes tasks for creating outbound firewall rules in your GPOs.
diff --git a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
index bd5a21cdb8..febc811262 100644
--- a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
+++ b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone.
diff --git a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md
index f72a945895..0e170e2c53 100644
--- a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md
+++ b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
@@ -26,7 +26,7 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co
| Task | Reference |
| - | - |
| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Basic Firewall Policy Design](basic-firewall-policy-design.md)
[Firewall Policy Design Example](firewall-policy-design-example.md)
[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)|
-| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016 Technical Preview, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016 Technical Preview, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
+| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)|
| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)|
| Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)|
diff --git a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md
index 1cab0a3744..6a65e70ac2 100644
--- a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.
diff --git a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md
index a57af52e9a..1c370cc0c7 100644
--- a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md
+++ b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
diff --git a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md
index e4ed2e3d00..533859a661 100644
--- a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).
diff --git a/windows/keep-secure/configure-authentication-methods.md b/windows/keep-secure/configure-authentication-methods.md
index c637681093..cee5bff4da 100644
--- a/windows/keep-secure/configure-authentication-methods.md
+++ b/windows/keep-secure/configure-authentication-methods.md
@@ -14,7 +14,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone.
diff --git a/windows/keep-secure/configure-data-protection-quick-mode-settings.md b/windows/keep-secure/configure-data-protection-quick-mode-settings.md
index 1b0e5489ab..4c7f4c94ea 100644
--- a/windows/keep-secure/configure-data-protection-quick-mode-settings.md
+++ b/windows/keep-secure/configure-data-protection-quick-mode-settings.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone.
diff --git a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md
index a3687db1b5..0251ff4352 100644
--- a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md
+++ b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate.
diff --git a/windows/keep-secure/configure-key-exchange-main-mode-settings.md b/windows/keep-secure/configure-key-exchange-main-mode-settings.md
index 097d29b877..dd11e2d12d 100644
--- a/windows/keep-secure/configure-key-exchange-main-mode-settings.md
+++ b/windows/keep-secure/configure-key-exchange-main-mode-settings.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic.
diff --git a/windows/keep-secure/configure-s-mime.md b/windows/keep-secure/configure-s-mime.md
index 7b9906f26d..7169036152 100644
--- a/windows/keep-secure/configure-s-mime.md
+++ b/windows/keep-secure/configure-s-mime.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
+localizationpriority: high
---
diff --git a/windows/keep-secure/configure-the-windows-firewall-log.md b/windows/keep-secure/configure-the-windows-firewall-log.md
index 0784a64b85..086d294c27 100644
--- a/windows/keep-secure/configure-the-windows-firewall-log.md
+++ b/windows/keep-secure/configure-the-windows-firewall-log.md
@@ -14,7 +14,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
diff --git a/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md
index 89b5eb68e9..3b75bc141f 100644
--- a/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md
+++ b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.
diff --git a/windows/keep-secure/configure-windows-defender-in-windows-10.md b/windows/keep-secure/configure-windows-defender-in-windows-10.md
index b52b5f6c57..71ec31b565 100644
--- a/windows/keep-secure/configure-windows-defender-in-windows-10.md
+++ b/windows/keep-secure/configure-windows-defender-in-windows-10.md
@@ -1,5 +1,5 @@
---
-title: Configure Windows Defender in Windows 10 (Windows 10)
+title: Configure and use Windows Defender in Windows 10
description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
ms.prod: w10
@@ -14,7 +14,9 @@ author: jasesso
**Applies to**
- Windows 10
-IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+You can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+
+You can also enable and configure the Microsoft Active Protection Service to ensure endpoints are protected by cloud-based protection technologies.
## Configure definition updates
diff --git a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
index b4990058e6..057dd20255 100644
--- a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
+++ b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
diff --git a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md
index 0423277e45..c64746932b 100644
--- a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md
+++ b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices.
diff --git a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md
index 694250fe3b..0b0fc49d34 100644
--- a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md
+++ b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in.
@@ -47,4 +47,4 @@ To complete this procedure, you must be a member of the Domain Administrators gr
12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**.
-13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016 Technical Preview, then select a WMI filter that allows only those devices to read and apply the GPO.
+13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO.
diff --git a/windows/keep-secure/create-a-group-account-in-active-directory.md b/windows/keep-secure/create-a-group-account-in-active-directory.md
index 6aeb64d983..6ada08d53f 100644
--- a/windows/keep-secure/create-a-group-account-in-active-directory.md
+++ b/windows/keep-secure/create-a-group-account-in-active-directory.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console.
diff --git a/windows/keep-secure/create-a-group-policy-object.md b/windows/keep-secure/create-a-group-policy-object.md
index 42a0e5ae62..bdd41a37ca 100644
--- a/windows/keep-secure/create-a-group-policy-object.md
+++ b/windows/keep-secure/create-a-group-policy-object.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
To create a new GPO, use the Active Directory Users and Computers MMC snap-in.
diff --git a/windows/keep-secure/create-an-authentication-exemption-list-rule.md b/windows/keep-secure/create-an-authentication-exemption-list-rule.md
index b0a4ec1118..e48455f5e9 100644
--- a/windows/keep-secure/create-an-authentication-exemption-list-rule.md
+++ b/windows/keep-secure/create-an-authentication-exemption-list-rule.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies.
diff --git a/windows/keep-secure/create-an-authentication-request-rule.md b/windows/keep-secure/create-an-authentication-request-rule.md
index 1c947f68f9..42617dc699 100644
--- a/windows/keep-secure/create-an-authentication-request-rule.md
+++ b/windows/keep-secure/create-an-authentication-request-rule.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate.
diff --git a/windows/keep-secure/create-an-inbound-icmp-rule.md b/windows/keep-secure/create-an-inbound-icmp-rule.md
index f76bba3007..83983389da 100644
--- a/windows/keep-secure/create-an-inbound-icmp-rule.md
+++ b/windows/keep-secure/create-an-inbound-icmp-rule.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.
diff --git a/windows/keep-secure/create-an-inbound-port-rule.md b/windows/keep-secure/create-an-inbound-port-rule.md
index e2a911293f..212bf9a8fc 100644
--- a/windows/keep-secure/create-an-inbound-port-rule.md
+++ b/windows/keep-secure/create-an-inbound-port-rule.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
diff --git a/windows/keep-secure/create-an-inbound-program-or-service-rule.md b/windows/keep-secure/create-an-inbound-program-or-service-rule.md
index 51524c047d..62c8e83e1b 100644
--- a/windows/keep-secure/create-an-inbound-program-or-service-rule.md
+++ b/windows/keep-secure/create-an-inbound-program-or-service-rule.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
diff --git a/windows/keep-secure/create-an-outbound-port-rule.md b/windows/keep-secure/create-an-outbound-port-rule.md
index 98c85d581c..9a06f49266 100644
--- a/windows/keep-secure/create-an-outbound-port-rule.md
+++ b/windows/keep-secure/create-an-outbound-port-rule.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
diff --git a/windows/keep-secure/create-an-outbound-program-or-service-rule.md b/windows/keep-secure/create-an-outbound-program-or-service-rule.md
index 342e863ffd..2e7e5c2e1e 100644
--- a/windows/keep-secure/create-an-outbound-program-or-service-rule.md
+++ b/windows/keep-secure/create-an-outbound-program-or-service-rule.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
index 5f9b52ebf2..a9511d644b 100644
--- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
@@ -1,7 +1,7 @@
---
title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10)
description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate.
-keywords: Windows Information Protection, WIP, WIP, Enterprise Data Protection
+keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -11,17 +11,15 @@ ms.pagetype: security
# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
**Applies to:**
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+- Windows 10, version 1607
+- Windows 10 Mobile
If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
>**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx).
If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. +If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).
If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
**To manually create an EFS DRA certificate**
@@ -43,9 +41,9 @@ If you already have an EFS DRA certificate for your organization, you can skip c
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager.
>**Note**
- To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic.
+ To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic.
-**To verify your data recovery certificate is correctly set up on an WIP client computer**
+**To verify your data recovery certificate is correctly set up on a WIP client computer**
1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP.
@@ -95,15 +93,15 @@ It's possible that you might revoke data from an unenrolled device only to later
The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location.
## Related topics
-- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx)
+- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx)
-- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx)
+- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx)
-- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
+- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
-- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)
+- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
-- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/en-us/library/cc875821.aspx#EJAA)
+- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)
diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md
index 49a3959cc2..77a7c0ee85 100644
--- a/windows/keep-secure/create-edp-policy-using-intune.md
+++ b/windows/keep-secure/create-edp-policy-using-intune.md
@@ -1,513 +1,5 @@
---
title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
-ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Create an enterprise data protection (EDP) policy using Microsoft Intune
-**Applies to:**
-
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
-
-## Important note about the June service update
-We've received some great feedback from you, our Windows 10 Insider Preview customers, about our enterprise data protection experiences and processes. Because of that feedback, we're delighted to deliver an enhanced apps policy experience with the June service update. This means that when you open an existing enterprise data protection policy after we release the June service update in your test environment, your existing Windows 10 enterprise data protection app rules (formerly in the **Protected Apps** area) will be removed.
To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing enterprise data protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules.
-
-
-
-Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list.
-
-## Add an EDP policy
-After you’ve set up Intune for your organization, you must create an EDP-specific policy.
-
-**To add an EDP policy**
-1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area.
-
-2. Go to **Windows**, click the **Enterprise data protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
-
- 
-
-3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
- 
-
-### Add app rules to your policy
-During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
-
-The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file.
-
->**Important**
-EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your App Rules list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. - -
->**Note**
-If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps using Microsoft Intune and custom URI](add-apps-to-protected-list-using-custom-uri.md) topic.
-
-#### Add a store app rule to your policy
-For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
-
-**To add a store app**
-1. From the **App Rules** area, click **Add**.
-
- The **Add App Rule** box appears.
-
- 
-
-2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
-
-3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
-
- Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. Instructions for exempting an app are included in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp-restrictions) section of this topic.
-
-4. Pick **Store App** from the **Rule template** drop-down list.
-
- The box changes to show the store app rule options.
-
-5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is`CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
-
-If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
-
-**To find the Publisher and Product Name values for Store apps without installing them**
-1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
-
- >**Note**
- If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps using Microsoft Intune and custom URI](add-apps-to-protected-list-using-custom-uri.md) topic.
-
-2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
-
-3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
-
- The API runs and opens a text editor with the app details.
-
- ``` json
- {
- "packageIdentityName": "Microsoft.Office.OneNote",
- "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
- }
- ```
-4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
-
- >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
For example:
-
- ``` json
- {
- "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- }
- ```
-
-**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
-1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
-
- >**Note**
- Your PC and phone must be on the same wireless network.
-
-2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
-
-3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
-
-4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
-
-5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
-
-6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
-
-7. Start the app for which you're looking for the publisher and product name values.
-
-8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
-
- >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
For example:
-
- ``` json
- {
- "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- }
- ```
-
-#### Add a desktop app rule to your policy
-For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
-
-**To add a desktop app**
-1. From the **App Rules** area, click **Add**.
-
- The **Add App Rule** box appears.
-
- 
-
-2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
-
-3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
-
- Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. Instructions for exempting an app are included in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp-restrictions) section of this topic.
-
-4. Pick **Desktop App** from the **Rule template** drop-down list.
-
- The box changes to show the store app rule options.
-
-5. Pick the options you want to include for the app rule (see table), and then click **OK**.
-
-
| Option | -Manages | -
|---|---|
| All fields left as “*” | -All files signed by any publisher. (Not recommended.) | -
| Publisher selected | -All files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps. |
-
| Publisher and Product Name selected | -All files for the specified product, signed by the named publisher. | -
| Publisher, Product Name, and Binary name selected | -Any version of the named file or package for the specified product, signed by the named publisher. | -
| Publisher, Product Name, Binary name, and File Version, and above, selected | -Specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened. |
-
| Publisher, Product Name, Binary name, and File Version, And below selected | -Specified version or older releases of the named file or package for the specified product, signed by the named publisher. | -
| Publisher, Product Name, Binary name, and File Version, Exactly selected | -Specified version of the named file or package for the specified product, signed by the named publisher. | -
After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.|
-
-
-
-### Define your enterprise-managed corporate identity
-Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by EDP. For example, emails using contoso.com are identified as being corporate and are restricted by your enterprise data protection policies.
-
-You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
-
-**To add your corporate identity**
-- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
-
- 
-
-### Choose where apps can access enterprise data
-After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
-
-There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
-
->**Important**
-- Every EDP policy should include policy that defines your enterprise network locations.
-- Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations. - -**To define where your protected apps can find and send enterprise data on you network** - -1. Add additional network locations your apps can access by clicking **Add**. - - The **Add or edit corporate network definition** box appears. - -2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. - -  -
-
| Network location type | -Format | -Description | -
|---|---|---|
| Enterprise Cloud Resources | -**With proxy:** contoso.sharepoint.com,proxy.contoso.com| contoso.visualstudio.com,proxy.contoso.com **Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by EDP. For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` |
-
| Enterprise Network Domain Names (Required) | -corp.contoso.com,region.contoso.com | -Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. |
-
| Enterprise Proxy Servers | -proxy.contoso.com:80;proxy2.contoso.com:137 | -Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP. This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic. This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network. If you have multiple resources, you must separate them using the ";" delimiter. |
-
| Enterprise Internal Proxy Servers | -contoso.internalproxy1.com;contoso.internalproxy2.com | -Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
-
| Enterprise IPv4 Range (Required, if not using IPv6) | -**Starting IPv4 Address:** 3.4.0.1 **Ending IPv4 Address:** 3.4.255.254 **Custom URI:** 3.4.0.1-3.4.255.254, 10.0.0.1-10.255.255.254 |
- Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
-
| Enterprise IPv6 Range (Required, if not using IPv4) | -**Starting IPv6 Address:** 2a01:110:: **Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff **Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
- Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
-
| Neutral Resources | -sts.contoso.com,sts.contoso2.com | -Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter. |
-
-The **Create Configuration Item Wizard** starts.
-
- 
-
-3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
-4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**.
-
- - **Settings for devices managed with the Configuration Manager client:** Windows 10
-
- -OR-
-
- - **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10
-
-5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
-
- 
-
-6. On the **Device Settings** screen, click **Enterprise data protection**, and then click **Next**.
-
- 
-
-The **Configure enterprise data protection settings** page appears, where you'll configure your policy for your organization.
-
-### Add app rules to your policy
-During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
-
-The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file.
-
->**Important**
-EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
-
-#### Add a store app rule to your policy
-For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
-
-**To add a store app**
-
-1. From the **App rules** area, click **Add**.
-
- The **Add app rule** box appears.
-
- 
-
-2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
-
-3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
-
- Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
-
-4. Pick **Store App** from the **Rule template** drop-down list.
-
- The box changes to show the store app rule options.
-
-5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
-
-If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
-
-**To find the Publisher and Product Name values for Store apps without installing them**
-
-1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
-
- >**Note**
- If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
-
-2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
-
-3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
-
- The API runs and opens a text editor with the app details.
-
- ``` json
- {
- "packageIdentityName": "Microsoft.Office.OneNote",
- "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
- }
- ```
-
-4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
-
- >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
- ```json
- {
- "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- }
- ```
-
-**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
-1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
-
- >**Note**
- Your PC and phone must be on the same wireless network.
-
-2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
-
-3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
-
-4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
-
-5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
-
-6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
-
-7. Start the app for which you're looking for the publisher and product name values.
-
-8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
-
- >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example: - ```json - { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` - -#### Add a desktop app rule to your policy -For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. - -**To add a desktop app to your policy** -1. From the **App rules** area, click **Add**. - - The **Add app rule** box appears. - -  - -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. - -3. Click **Allow** from the **Enterprise data protection mode** drop-down list. - - Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section. - -4. Pick **Desktop App** from the **Rule template** drop-down list. - - The box changes to show the desktop app rule options. - -5. Pick the options you want to include for the app rule (see table), and then click **OK**. - -
| Option | -Manages | -
|---|---|
| All fields left as “*” | -All files signed by any publisher. (Not recommended.) | -
| Publisher selected | -All files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps. |
-
| Publisher and Product Name selected | -All files for the specified product, signed by the named publisher. | -
| Publisher, Product Name, and Binary name selected | -Any version of the named file or package for the specified product, signed by the named publisher. | -
| Publisher, Product Name, Binary name, and File Version, and above, selected | -Specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened. |
-
| Publisher, Product Name, Binary name, and File Version, And below selected | -Specified version or older releases of the named file or package for the specified product, signed by the named publisher. | -
| Publisher, Product Name, Binary name, and File Version, Exactly selected | -Specified version of the named file or package for the specified product, signed by the named publisher. | -
After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.|
-
-
-
-### Define your enterprise-managed identity domains
-Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by EDP. For example, emails using contoso.com are identified as being corporate and are restricted by your enterprise data protection policies.
-
-You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
-
-**To add your corporate identity**
-
-- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
-
- 
-
-### Choose where apps can access enterprise data
-After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
-
-There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
-
->**Important**
-- Every EDP policy should include policy that defines your enterprise network locations.
-- Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations.
-
-**To define where your protected apps can find and send enterprise data on you network**
-
-1. Add additional network locations your apps can access by clicking **Add**.
-
- The **Add or edit corporate network definition** box appears.
-
-2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
-
- 
-
-
| Network location type | -Format | -Description | -
|---|---|---|
| Enterprise Cloud Resources | -**With proxy:** contoso.sharepoint.com,proxy.contoso.com| contoso.visualstudio.com,proxy.contoso.com **Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by EDP. For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` |
-
| Enterprise Network Domain Names (Required) | -corp.contoso.com,region.contoso.com | -Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. |
-
| Enterprise Proxy Servers | -proxy.contoso.com:80;proxy2.contoso.com:137 | -Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP. This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic. This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network. If you have multiple resources, you must separate them using the ";" delimiter. |
-
| Enterprise Internal Proxy Servers | -contoso.internalproxy1.com;contoso.internalproxy2.com | -Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
-
| Enterprise IPv4 Range (Required) | -**Starting IPv4 Address:** 3.4.0.1 **Ending IPv4 Address:** 3.4.255.254 **Custom URI:** 3.4.0.1-3.4.255.254, 10.0.0.1-10.255.255.254 |
- Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
-
| Enterprise IPv6 Range | -**Starting IPv6 Address:** 2a01:110:: **Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff **Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
- Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
-
| Neutral Resources | -sts.contoso.com,sts.contoso2.com | -Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter. |
-
-It's your choice whether you check the box to **Remember the user credentials at each logon**. - -  - -6. You can leave the rest of the default or blank settings, and then click **Save Policy**. - -## Deploy your VPN policy using Microsoft Intune -After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your enterprise data protection (EDP) policy. - -**To deploy your VPN policy** - -1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. - -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
-The added people move to the **Selected Groups** list on the right-hand pane. - -  - -3. After you've picked all of the employees and groups that should get the policy, click **OK**.
-The policy is deployed to the selected users' devices.
-
-## Link your EDP and VPN policies and deploy the custom configuration policy
-The final step to making your VPN configuration work with EDP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EdpModeID** setting, and then deploying the policy to the same group you deployed your EDP and VPN policies
-
-**To link your VPN policy**
-
-1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
-
-2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
-
- 
-
-3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
- 
-
-4. In the **OMA-URI Settings** area, click **Add** to add your **EdpModeID** info.
-
-5. In the **OMA-URI Settings** area, type the following info:
-
- - **Setting name.** Type **EdpModeID** as the name.
-
- - **Data type.** Pick the **String** data type.
-
- - **OMA-URI.** Type `./Vendor/MSFT/VPNv2/
+It's your choice whether you check the box to **Remember the user credentials at each logon**.
+
+ 
+
+6. You can leave the rest of the default or blank settings, and then click **Save Policy**.
+
+## Deploy your VPN policy using Microsoft Intune
+After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
+
+**To deploy your VPN policy**
+
+1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
+
+2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
+The added people move to the **Selected Groups** list on the right-hand pane.
+
+ 
+
+3. After you've picked all of the employees and groups that should get the policy, click **OK**.
+The policy is deployed to the selected users' devices.
+
+## Link your WIP and VPN policies and deploy the custom configuration policy
+The final step to making your VPN configuration work with WIP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **WIPModeID** setting, and then deploying the policy to the same group you deployed your WIP and VPN policies
+
+**To link your VPN policy**
+
+1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
+
+2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
+
+ 
+
+3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+ 
+
+4. In the **OMA-URI Settings** area, click **Add** to add your **WIPModeID** info.
+
+5. In the **OMA-URI Settings** area, type the following info:
+
+ - **Setting name.** Type **WIPModeID** as the name.
+
+ - **Data type.** Pick the **String** data type.
+
+ - **OMA-URI.** Type `./Vendor/MSFT/VPNv2/ To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing Windows Information Protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules.
+
+
+
+Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list.
+
+## Add a WIP policy
+After you’ve set up Intune for your organization, you must create a WIP-specific policy.
+
+**To add a WIP policy**
+1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area.
+
+2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
+
+ 
+
+3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+ 
+
+### Add app rules to your policy
+During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
+
+The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
+
+>**Important** Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+
+>**Note** For example:
+
+ ```json
+ {
+ "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+ }
+ ```
+
+**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
+1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
+
+ >**Note** For example: This might be useful if your company is the publisher and signer of internal line-of-business apps. This option is recommended for enlightened apps that weren't previously enlightened. After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.|
+
+
+
+### Define your enterprise-managed corporate identity
+Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
+
+You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
+
+**To add your corporate identity**
+- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
+
+ 
+
+### Choose where apps can access enterprise data
+After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
+
+There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+
+>**Important**
+- Every WIP policy should include policy that defines your enterprise network locations.
+- Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
+
+**To define where your protected apps can find and send enterprise data on you network**
+
+1. Add additional network locations your apps can access by clicking **Add**.
+
+ The **Add or edit corporate network definition** box appears.
+
+2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
+
+ 
+
+ **Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic. This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network. If you have multiple resources, you must separate them using the ";" delimiter. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic. If you have multiple resources, you must separate them using the ";" delimiter. If you have multiple ranges, you must separate them using the "," delimiter. If you have multiple ranges, you must separate them using the "," delimiter. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter.
+The **Create Configuration Item Wizard** starts.
+
+ 
+
+3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**.
+
+ - **Settings for devices managed with the Configuration Manager client:** Windows 10
+
+ -OR-
+
+ - **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10
+
+5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
+
+ 
+
+6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**.
+
+ 
+
+The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
+
+### Add app rules to your policy
+During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
+
+The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
+
+>**Important** Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+
+#### Add a store app rule to your policy
+For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
+
+**To add a store app**
+
+1. From the **App rules** area, click **Add**.
+
+ The **Add app rule** box appears.
+
+ 
+
+2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
+
+3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
+
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+
+4. Pick **Store App** from the **Rule template** drop-down list.
+
+ The box changes to show the store app rule options.
+
+5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
+
+If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
+
+**To find the Publisher and Product Name values for Store apps without installing them**
+
+1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
+
+ >**Note** For example:
+
+ ```json
+ {
+ "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+ }
+ ```
+
+**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
+1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
+
+ >**Note** For example:
+
+ ```json
+ {
+ "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+ }
+ ```
+
+#### Add a desktop app rule to your policy
+For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
+
+**To add a desktop app to your policy**
+1. From the **App rules** area, click **Add**.
+
+ The **Add app rule** box appears.
+
+ 
+
+2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
+
+3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
+
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+
+4. Pick **Desktop App** from the **Rule template** drop-down list.
+
+ The box changes to show the desktop app rule options.
+
+5. Pick the options you want to include for the app rule (see table), and then click **OK**.
+
+ This might be useful if your company is the publisher and signer of internal line-of-business apps. This option is recommended for enlightened apps that weren't previously enlightened. After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.|
+
+
+
+### Define your enterprise-managed identity domains
+Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
+
+You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
+
+**To add your corporate identity**
+
+- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
+
+ 
+
+### Choose where apps can access enterprise data
+After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
+
+There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+
+>**Important** **Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic. This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network. If you have multiple resources, you must separate them using the ";" delimiter. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic. If you have multiple resources, you must separate them using the ";" delimiter. If you have multiple ranges, you must separate them using the "," delimiter. If you have multiple ranges, you must separate them using the "," delimiter. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter. Physical PC For PCs running Windows 10, you cannot run Credential Guard on a virtual machine. For PCs running Windows 10, version 1511 and Windows 10, version 1507, you cannot run Credential Guard on a virtual machine. Virtual machine For PCs running Windows 10, version 1607, you can run Credential Guard on a Generation 2 virtual machine. 1. If present, hypervisor support is available. 2. If present, Secure Boot is available. 3. If present, DMA protection is available. 4. If present, Secure Memory Overwrite is available. 5. If present, NX protections are available. 6. If present, SMM mitigations are available. Note: 4, 5, and 6 were added as of Windows 10, version 1607. 0. Nothing is required. 1. If present, Secure Boot is needed. 2. If present, DMA protection is needed. 3. If present, both Secure Boot and DMA protection are needed. 1. If present, hypervisor support is needed. 2. If present, Secure Boot is needed. 3. If present, DMA protection is needed. 4. If present, Secure Memory Overwrite is needed. 5. If present, NX protections are needed. 6. If present, SMM mitigations are needed. Note: 4, 5, and 6 were added as of Windows 10, version 1607.
-The added people move to the **Selected Groups** list on the right-hand pane.
-
- 
-
-3. After you've picked all of the employees and groups that should get the policy, click **OK**.
-The policy is deployed to the selected users' devices.
-
-## Related topics
-- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
--[Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
-- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
-- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/deploy-wip-policy-using-intune
+---
\ No newline at end of file
diff --git a/windows/keep-secure/deploy-wip-policy-using-intune.md b/windows/keep-secure/deploy-wip-policy-using-intune.md
new file mode 100644
index 0000000000..757e51c6bf
--- /dev/null
+++ b/windows/keep-secure/deploy-wip-policy-using-intune.md
@@ -0,0 +1,39 @@
+---
+title: Deploy your Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
+description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
+ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+---
+
+# Deploy your Windows Information Protection (WIP) policy using Microsoft Intune
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
+
+**To deploy your WIP policy**
+
+1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
+
+ 
+
+2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
+The added people move to the **Selected Groups** list on the right-hand pane.
+
+ 
+
+3. After you've picked all of the employees and groups that should get the policy, click **OK**.
+The policy is deployed to the selected users' devices.
+
+## Related topics
+- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
+- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
+- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
+- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
\ No newline at end of file
diff --git a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md
index 144252b206..df45d7bcb2 100644
--- a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices.
diff --git a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md
index 8bbd75608d..01ed85051c 100644
--- a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md
+++ b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status.
diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md
index 5e60c5e980..566a6df4da 100644
--- a/windows/keep-secure/device-guard-certification-and-compliance.md
+++ b/windows/keep-secure/device-guard-certification-and-compliance.md
@@ -1,4 +1,4 @@
---
title: Device Guard certification and compliance (Windows 10)
-redirect_url: device-guard-deployment-guide.md
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide
---
diff --git a/windows/keep-secure/documenting-the-zones.md b/windows/keep-secure/documenting-the-zones.md
index 88e67e80c4..9c120835e8 100644
--- a/windows/keep-secure/documenting-the-zones.md
+++ b/windows/keep-secure/documenting-the-zones.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here:
diff --git a/windows/keep-secure/domain-isolation-policy-design-example.md b/windows/keep-secure/domain-isolation-policy-design-example.md
index 2bfcf9cbc8..f5cc8ea0f6 100644
--- a/windows/keep-secure/domain-isolation-policy-design-example.md
+++ b/windows/keep-secure/domain-isolation-policy-design-example.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams.
diff --git a/windows/keep-secure/domain-isolation-policy-design.md b/windows/keep-secure/domain-isolation-policy-design.md
index da2564242b..6f15c8338f 100644
--- a/windows/keep-secure/domain-isolation-policy-design.md
+++ b/windows/keep-secure/domain-isolation-policy-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain.
diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
new file mode 100644
index 0000000000..28f0292d02
--- /dev/null
+++ b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
@@ -0,0 +1,90 @@
+---
+title: Enable phone sign-in to PC or VPN (Windows 10)
+description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone.
+keywords: ["identity", "PIN", "biometric", "Hello"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Enable phone sign-in to PC or VPN
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+In Windows 10, Version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app.
+
+
+
+> [!NOTE]
+> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
+You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone.
+
+ ## Prerequisites
+
+ - Both phone and PC must be running Windows 10, version 1607.
+ - The PC must be running Windows 10 Pro, Enterprise, or Education
+ - Both phone and PC must have Bluetooth.
+ - The **Microsoft Authenticator** app must be installed on the phone.
+ - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
+ - The phone must be joined to Azure AD or have a work account added.
+ - The VPN configuration profile must use certificate-based authentication.
+
+## Set policies
+
+To enable phone sign-in, you must enable the following policies using Group Policy or MDM.
+
+- Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**
+ - Enable **Use Windows Hello for Business**
+ - Enable **Phone Sign-in**
+- MDM:
+ - Set **UsePassportForWork** to **True**
+ - Set **Remote\UseRemotePassport** to **True**
+
+## Configure VPN
+
+To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows:
+
+- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate.
+- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate.
+
+## Get the app
+
+If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md).
+
+[Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote)
+
+
+## Related topics
+
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/enable-predefined-inbound-rules.md b/windows/keep-secure/enable-predefined-inbound-rules.md
index fe16701837..59e8325dac 100644
--- a/windows/keep-secure/enable-predefined-inbound-rules.md
+++ b/windows/keep-secure/enable-predefined-inbound-rules.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
diff --git a/windows/keep-secure/enable-predefined-outbound-rules.md b/windows/keep-secure/enable-predefined-outbound-rules.md
index 1691399b8a..137de67aa2 100644
--- a/windows/keep-secure/enable-predefined-outbound-rules.md
+++ b/windows/keep-secure/enable-predefined-outbound-rules.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
diff --git a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
new file mode 100644
index 0000000000..322d36d515
--- /dev/null
+++ b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
@@ -0,0 +1,110 @@
+---
+title: Detect and block Potentially Unwanted Application with Windows Defender
+description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
+keywords: pua, enable, detect pua, block pua, windows defender and pua
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: detect
+ms.sitesec: library
+ms.pagetype: security
+author: dulcemv
+---
+
+# Detect and block Potentially Unwanted Application in Windows 10
+
+**Applies to:**
+
+- Windows 10
+
+You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
+
+Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
+
+Typical examples of PUA behavior include:
+* Various types of software bundling
+* Ad-injection into your browsers
+* Driver and registry optimizers that detect issues, request payment to fix them, and persist
+
+These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
+
+Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
+
+**Enable PUA protection in SCCM and Intune**
+
+The PUA feature is available for enterprise users who are running System Center Configuration Manager (SCCM) or Microsoft Intune in their infrastructure.
+
+***Configure PUA in SCCM***
+
+For SCCM users, PUA is enabled by default. See the following topics for configuration details:
+
+If you are using these versions | See these topics
+:---|:---
+System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy) Not configured: Users can provision Passport for Work, which encrypts their domain password. Enabled: Device provisions Passport for Work using keys or certificates for all users. Disabled: Device does not provision Passport for Work for any user. Not configured: Users can provision Windows Hello for Business, which encrypts their domain password. Enabled: Device provisions Windows Hello for Business using keys or certificates for all users. Disabled: Device does not provision Windows Hello for Business for any user. Not configured: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. Enabled: Passport for Work will only be provisioned using TPM. Disabled: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. Enabled: Windows Hello for Business will only be provisioned using TPM. Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. Use Remote Passport Use Phone Sign-in Not configured: Remote Passport is disabled. Not configured: Phone sign-in is disabled. Enabled: Users can use a portable, registered device as a companion device for desktop authentication. Disabled: Remote Passport is disabled. Disabled: Phone sign-in is disabled. True: Passport will be provisioned for all users on the device. False: Users will not be able to provision Passport. True: Windows Hello for Business will be provisioned for all users on the device. False: Users will not be able to provision Windows Hello for Business. True: Passport will only be provisioned using TPM. False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. True: Windows Hello for Business will only be provisioned using TPM. False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. True: Biometrics can be used as a gesture in place of a PIN for domain logon. False: Only a PIN can be used as a gesture for domain logon. True: Biometrics can be used as a gesture in place of a PIN for domain sign-in. False: Only a PIN can be used as a gesture for domain sign-in. True: Remote Passport is enabled. False: Remote Passport is disabled. True: Phone sign-in is enabled. False: Phone sign-in is disabled. After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
- **Note**
- You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the **Protected App** list.
-
- - **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your **Protected App** list.
-
- - **Continuous data encryption.** EDP helps protect enterprise data on local files and on removable media.
- Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document.
-
- - **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your **Protected App** list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your **Protected Apps** list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the cloud, while maintaining the encryption.
-
- - **Helping prevent accidental data disclosure to removable media.** EDP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
-
-- **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. **Note** We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
-|Synchronizing data to other services or public cloud storage |Synchronized files aren't protected on additional services or as part of public cloud storage. |Stop the app from synchronizing or don't add the app to your **Protected App** list. For more info about adding apps to the **Protected App** list, see either the [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or the [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md) topic, depending on your management solution.
-
-## Next steps
-After deciding to use EDP in your enterprise, you need to:
-
-- [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)
\ No newline at end of file
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip
+---
\ No newline at end of file
diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md
new file mode 100644
index 0000000000..824df7b27f
--- /dev/null
+++ b/windows/keep-secure/protect-enterprise-data-using-wip.md
@@ -0,0 +1,82 @@
+---
+title: Protect your enterprise data using Windows Information Protection (WIP) (Windows 10)
+description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control.
+ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+---
+
+# Protect your enterprise data using Windows Information Protection (WIP)
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+
+Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
+
+## Prerequisites
+You’ll need this software to run WIP in your enterprise:
+
+|Operating system | Management solution |
+|-----------------|---------------------|
+|Windows 10, version 1607 | Microsoft Intune After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives. |
+ **Note** **Note** **Note** The app shouldn't be able to access the file. If your default app association is an app not on your **Protected Apps** list, you should get an **Access Denied** error message. You should see an EDP-related warning box, asking you to click either **Got it** or **Cancel**. The content isn't pasted into the non-enterprise app. The content is pasted into the non-enterprise app. The content should copy and paste between apps without any warning messages. You should see an EDP-related warning box, asking you to click either **Drag Anyway** or **Cancel**. The content isn't dropped into the non-enterprise app. The content is dropped into the non-enterprise app. The content should move between the apps without any warning messages. You should see an EDP-related warning box, asking you to click either **Share Anyway** or **Cancel**. The content isn't shared into Facebook. The content is shared into Facebook. The content should share between the apps without any warning messages. EDP should encrypt the file to your Enterprise Identity. The file should be decrypted and the **Lock** icon should disappear. **Note** A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your **Protected Apps** list. Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files. Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files. The device should be removed and all of the enterprise content for that managed account should be gone. **Important** **Note** The app shouldn't be able to access the file. If your default app association is an app not on your allowed apps list, you should get an **Access Denied** error message. You should see a WIP-related warning box, asking you to click either **Got it** or **Cancel**. The content isn't pasted into the non-enterprise app. The content is pasted into the non-enterprise app. The content should copy and paste between apps without any warning messages. You should see a WIP-related warning box, asking you to click either **Drag Anyway** or **Cancel**. The content isn't dropped into the non-enterprise app. The content is dropped into the non-enterprise app. The content should move between the apps without any warning messages. You should see a WIP-related warning box, asking you to click either **Share Anyway** or **Cancel**. The content isn't shared into Facebook. The content is shared into Facebook. The content should share between the apps without any warning messages. WIP should encrypt the file to your Enterprise Identity. The file should be decrypted and the **Lock** icon should disappear. **Note** A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list. Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files. Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files. The device should be removed and all of the enterprise content for that managed account should be gone. **Important** NOTE:
+ Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed: Client Operating System Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later Server Operating System Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016 [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Active Directory or WSUS, apply updates to endpoints, and manage scans using: [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Active Directory and WSUS. [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take. [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions. [Windows Spotlight on the lock screen](windows-spotlight.md) Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. [Windows Store for Business](windows-store-for-business.md) Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) Windows 10, Version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md) You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select. [Hibernate Once/Resume Many (HORM)](http://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device HORM is supported in Windows 10, version 1607. [Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated. [Keyboard Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path. [Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category. Learn [how to use Shell Launcher to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application. [Application Launcher]( http://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus. [Dialog Filter](http://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing. Control over which processes are able to run will now be provided by AppLocker. System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below. [Toast Notification Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps. Group Policy: User Configuration > Administrative Templates > Start Menu and Taskbar > Notifications MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow action center notifications and a [custom OMA-URI setting](http://go.microsoft.com/fwlink/p/?LinkID=616317) for AboveLock/AllowActionCenterNotifications. [Embedded Lockdown Manager](http://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager. [USB Filter](http://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices. Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow removable storage or Allow USB connection (Windows 10 Mobile only). [Assigned Access](http://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device. In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed. Learn [how to use Assigned Access to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app. [Gesture Filter](http://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen The capabilities of Gesture Filter have been consolidated into Assigned Access for Windows 10. In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. For Windows 10, Charms have been removed, and blocking the closing or switching of apps is part of Assigned Access. [Custom Logon]( http://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown No changes. Applies only to Windows 10 Enterprise and Windows 10 Education. [Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements No changes. Applies only to Windows 10 Enterprise and Windows 10 Education. None. Turns off Delivery Optimization. Group. Gets or sends updates and apps to PCs on the same local network domain. Internet. Gets or sends updates and apps to PCs on the Internet. LAN. Gets or sends updates and apps to PCs on the same NAT only. None. Turns off Delivery Optimization. Group. Gets or sends updates and apps to PCs on the same local network domain. Internet. Gets or sends updates and apps to PCs on the Internet. LAN. Gets or sends updates and apps to PCs on the same NAT only. Simple. Simple download mode with no peering. Bypass. Use BITS instead of Windows Update Delivery Optimization. 0. Turns off Delivery Optimization. 1. Gets or sends updates and apps to PCs on the same NAT only. 2. Gets or sends updates and apps to PCs on the same local network domain. 3. Gets or sends updates and apps to PCs on the Internet. 0. Turns off Delivery Optimization. 1. Gets or sends updates and apps to PCs on the same NAT only. 2. Gets or sends updates and apps to PCs on the same local network domain. 3. Gets or sends updates and apps to PCs on the Internet. 99. Simple download mode with no peering. 100. Use BITS instead of Windows Update Delivery Optimization. [Microsoft System Center Configuration Manager Technical Preview](http://go.microsoft.com/fwlink/p/?LinkId=613622) [Microsoft System Center Configuration Manager 2016](http://go.microsoft.com/fwlink/p/?LinkId=613622) Client deployment, upgrade, and management with new and existing features [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md) The Account information page in Windows Store for Business shows information about your organization that you can update, including: country or region, organization name, default domain, and language preference. These are settings in the Azure AD directory that you used when signing up for Store for Business The Account information page in Windows Store for Business shows information about your organization that you can update, including: organization information, payment options, and offline licensing settings. [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md) Policy name Value When set? Admin Templates > Control Panel > Personalization Prevent enabling lock screen slide show Enabled Always Prevent changing lock screen and logon image Enabled Always Admin Templates > System > Power Management > Button Settings Select the Power button action (plugged in) Sleep SetPowerPolicies=True Select the Power button action (on battery) Sleep SetPowerPolicies=True Select the Sleep button action (plugged in) Sleep SetPowerPolicies=True Select the lid switch action (plugged in) Sleep SetPowerPolicies=True Select the lid switch action (on battery) Sleep SetPowerPolicies=True Admin Templates > System > Power Management > Sleep Settings Require a password when a computer wakes (plugged in) Enabled SignInOnResume=True Require a password when a computer wakes (on battery) Enabled SignInOnResume=True Specify the system sleep timeout (plugged in) *SleepTimeout* SetPowerPolicies=True Specify the system sleep timeout (on battery) *SleepTimeout* SetPowerPolicies=True Turn off hybrid sleep (plugged in) Enabled SetPowerPolicies=True Turn off hybrid sleep (on battery) Enabled SetPowerPolicies=True Specify the unattended sleep timeout (plugged in) *SleepTimeout* SetPowerPolicies=True Specify the unattended sleep timeout (on battery) *SleepTimeout* SetPowerPolicies=True Allow standby states (S1-S3) when sleeping (plugged in) Enabled SetPowerPolicies=True Allow standby states (S1-S3) when sleeping (on battery) Enabled SetPowerPolicies=True Specify the system hibernate timeout (plugged in) Enabled, 0 SetPowerPolicies=True Specify the system hibernate timeout (on battery) Enabled, 0 SetPowerPolicies=True Admin Templates>System>Power Management>Video and Display Settings Turn off the display (plugged in) *SleepTimeout* SetPowerPolicies=True Turn off the display (on battery *SleepTimeout* SetPowerPolicies=True Admin Templates>System>Logon Show first sign-in animation Disabled Always Hide entry points for Fast User Switching Enabled Always Turn on convenience PIN sign-in Disabled Always Turn off picture password sign-in Enabled Always Turn off app notification on the lock screen Enabled Always Allow users to select when a password is required when resuming from connected standby Disabled SignInOnResume=True Block user from showing account details on sign-in Enabled Always Admin Templates>System>User Profiles Turn off the advertising ID Enabled SetEduPolicies=True Admin Templates>Windows Components Do not show Windows Tips Enabled SetEduPolicies=True Turn off Microsoft consumer experiences Enabled SetEduPolicies=True Microsoft Passport for Work Disabled Always Prevent the usage of OneDrive for file storage Enabled Always Admin Templates>Windows Components>Biometrics Allow the use of biometrics Disabled Always Allow users to log on using biometrics Disabled Always Allow domain users to log on using biometrics Disabled Always Admin Templates>Windows Components>Data Collection and Preview Builds Toggle user control over Insider builds Disabled Always Disable pre-release features or settings Disabled Always Do not show feedback notifications Enabled Always Admin Templates>Windows Components>File Explorer Show lock in the user tile menu Disabled Always Admin Templates>Windows Components>Maintenance Scheduler Automatic Maintenance Activation Boundary *MaintenanceStartTime* Always Automatic Maintenance Random Delay Enabled, 2 hours Always Automatic Maintenance WakeUp Policy Enabled Always Admin Templates>Windows Components>Microsoft Edge Open a new tab with an empty tab Disabled SetEduPolicies=True Configure corporate home pages Enabled, about:blank SetEduPolicies=True Admin Templates>Windows Components>Search Allow Cortana Disabled SetEduPolicies=True Windows Settings>Security Settings>Local Policies>Security Options Interactive logon: Do not display last user name Enabled, Disabled when account model is only guest Always Interactive logon: Sign-in last interactive user automatically after a system-initiated restart Disabled Always Shutdown: Allow system to be shut down without having to log on Disabled Always User Account Control: Behavior of the elevation prompt for standard users Auto deny Always Kid's corner (disabled in Assigned Access) Apps corner (disabled in Assigned Access) [Windows Store for Business overview](windows-store-for-business-overview.md) Learn about Windows Store for Business. [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md) There are a few prerequisites for using Store for Business. [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md) Before you sign up for Store for Business, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Store for Business. If not, we'll help you create an Azure AD account and directory as part of the sign up process. [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md) The first person to sign in to Store for Business must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees. [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md) The Store for Business has a group of settings that admins use to manage the store. Group Policy: Start layout Group Policy: Prevent users from customizing their Start Screen Start layout can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which Start layout was created. When a Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the All Apps view, but they cannot pin any apps to the Start screen. When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the All Apps view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own. Start layout policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar.
Admin X X X Purchaser X X Device Guard signer X [Change history for What's new in Windows 10](change-history-for-what-s-new-in-windows-10.md) This topic lists new and updated topics in the What's new in Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). [AppLocker](applocker.md) AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. [BitLocker](bitlocker.md) BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. [Browser: Microsoft Edge and Internet Explorer 11](edge-ie11-whats-new-overview.md) Resources to help you explore the Windows 10 browsing options for your enterprise. [Credential Guard](credential-guard.md) Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. [Device Guard](device-guard-overview.md) Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. [Enterprise data protection (EDP)](edp-whats-new-overview.md) With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud. [Enterprise management for Windows 10 devices](device-management.md) Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. [Lockdown features from Windows Embedded Industry 8.1](lockdown-features-windows-10.md) Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation. [Microsoft Passport](microsoft-passport.md) In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. [Provisioning packages](new-provisioning-packages.md) With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. [Security](security.md) There are several key client security improvements Microsoft has made in Windows 10. These improvements focus on three key areas — threat resistance, information protection, and identity protection and access control. In addition to an overview of the features themselves, this article discusses the hardware requirements for each new feature and offers configuration recommendations and links to more detailed resources. [Security auditing](security-auditing.md) Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment. [Trusted Platform Module](trusted-platform-module.md) This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10. [User Account Control](user-account-control.md) User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. [Windows spotlight on the lock screen](windows-spotlight.md) Windows spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows spotlight is now available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows spotlight background. [Windows Store for Business overview](windows-store-for-business-overview.md) With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps. [Windows Update for Business](windows-update-for-business.md) Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. [Hibernate Once/Resume Many (HORM)](http://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device HORM is not supported in Windows 10. However, with enhancements to the Windows boot process and Unified Extensible Firmware Interface (UEFI) hardware, startup times can be dramatically reduced compared to previous versions. [Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated. [Keyboard Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path. [Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category. Learn [how to use Shell Launcher to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application. [Application Launcher]( http://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus. [Dialog Filter](http://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing. Control over which processes are able to run will now be provided by AppLocker. System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below. [Toast Notification Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps. Group Policy: User Configuration > Administrative Templates > Start Menu and Taskbar > Notifications MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow action center notifications and a [custom OMA-URI setting](http://go.microsoft.com/fwlink/p/?LinkID=616317) for AboveLock/AllowActionCenterNotifications. [Embedded Lockdown Manager](http://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager. [USB Filter](http://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices. Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow removable storage or Allow USB connection (Windows 10 Mobile only). [Assigned Access](http://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device. In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed. Learn [how to use Assigned Access to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app. [Gesture Filter](http://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen The capabilities of Gesture Filter have been consolidated into Assigned Access for Windows 10. In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. For Windows 10, Charms have been removed, and blocking the closing or switching of apps is part of Assigned Access. [Custom Logon]( http://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown No changes. Applies only to Windows 10 Enterprise and Windows 10 Education. [Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements No changes. Applies only to Windows 10 Enterprise and Windows 10 Education. Admin X X X Purchaser X X Device Guard signer X
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
+If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
+
+#### Add a store app rule to your policy
+For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
+
+**To add a store app**
+1. From the **App Rules** area, click **Add**.
+
+ The **Add App Rule** box appears.
+
+ 
+
+2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
+
+3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
+
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic.
+
+4. Pick **Store App** from the **Rule template** drop-down list.
+
+ The box changes to show the store app rule options.
+
+5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
+
+If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
+
+**To find the Publisher and Product Name values for Store apps without installing them**
+1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
+
+ >**Note**
+ If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
+
+2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
+
+3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
+
+ The API runs and opens a text editor with the app details.
+
+ ```json
+ {
+ "packageIdentityName": "Microsoft.Office.OneNote",
+ "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+ }
+ ```
+
+4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
+
+ >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
Your PC and phone must be on the same wireless network.
+
+2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
+
+3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
+
+4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
+
+5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
+
+6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
+
+7. Start the app for which you're looking for the publisher and product name values.
+
+8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
+
+ >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
+
+ ``` json
+ {
+ "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+ }
+ ```
+
+#### Add a desktop app rule to your policy
+For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
+
+**To add a desktop app**
+1. From the **App Rules** area, click **Add**.
+
+ The **Add App Rule** box appears.
+
+ 
+
+2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
+
+3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
+
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic.
+
+4. Pick **Desktop App** from the **Rule template** drop-down list.
+
+ The box changes to show the store app rule options.
+
+5. Pick the options you want to include for the app rule (see table), and then click **OK**.
+
+
+
+
+If you’re unsure about what to include for the publisher, you can run this PowerShell command:
+
+```ps1
+ Get-AppLockerFileInformation -Path "
+
+ Option
+ Manages
+
+
+ All fields left as “*”
+ All files signed by any publisher. (Not recommended.)
+
+
+ Publisher selected
+ All files signed by the named publisher.
+
+
+ Publisher and Product Name selected
+ All files for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, and Binary name selected
+ Any version of the named file or package for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, Binary name, and File Version, and above, selected
+ Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, Binary name, and File Version, And below selected
+ Specified version or older releases of the named file or package for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, Binary name, and File Version, Exactly selected
+ Specified version of the named file or package for the specified product, signed by the named publisher.
+
+ This is the XML file that AppLocker creates for Microsoft Photos.
+
+ ```xml
+
+
+
+3. Add as many locations as you need, and then click **OK**.
+
+ The **Add corporate network definition** box closes.
+
+4. Decide if you want to Windows to look for additional network settings:
+
+ - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
+
+ - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
+
+ - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
+
+5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+
+ 
+
+ After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
+
+ For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
+
+### Choose your optional WIP-related settings
+After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
+
+
+
+**To set your optional settings**
+1. Choose to set any or all of the optional settings:
+
+ - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
+
+ - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box.
+
+ - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
+
+ - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
+
+ - **Yes (recommended).** Turns on the feature and provides the additional protection.
+
+ - **No, or not configured.** Doesn't enable this feature.
+
+ - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+
+ - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
+
+ - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
+
+ - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
+
+ - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
+
+ - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
+
+ - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files or in the **Start** menu, on top of the tiles for your unenlightened protected apps. The options are:
+
+ - **Yes (recommended).** Allows the Windows Information Protection icon overlay to appear for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
+
+ - **No, or not configured.** Stops the Windows Information Protection icon overlay from appearing for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
+
+2. Click **Save Policy**.
+
+## Related topics
+- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
+- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
+- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
+- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
\ No newline at end of file
diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md
new file mode 100644
index 0000000000..f439f23db6
--- /dev/null
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@@ -0,0 +1,504 @@
+---
+title: Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10)
+description: Configuration Manager (version 1606 or later) helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+---
+
+# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+- System Center Configuration Manager
+
+System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
+
+>**Important**
+
+ Network location type
+ Format
+ Description
+
+
+ Enterprise Cloud Resources
+ **With proxy:** contoso.sharepoint.com,proxy.contoso.com|
+
contoso.visualstudio.com,proxy.contoso.comSpecify the cloud resources to be treated as corporate and protected by WIP.
+
+
+ Enterprise Network Domain Names (Required)
+ corp.contoso.com,region.contoso.com
+ Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
+
+
+ Enterprise Proxy Servers
+ proxy.contoso.com:80;proxy2.contoso.com:137
+ Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.
+
+
+ Enterprise Internal Proxy Servers
+ contoso.internalproxy1.com;contoso.internalproxy2.com
+ Specify the proxy servers your devices will go through to reach your cloud resources.
+
+
+ Enterprise IPv4 Range (Required, if not using IPv6)
+ **Starting IPv4 Address:** 3.4.0.1
+
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
+
+
+ Enterprise IPv6 Range (Required, if not using IPv4)
+ **Starting IPv6 Address:** 2a01:110::
+
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffffSpecify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
+
+
+ Neutral Resources
+ sts.contoso.com,sts.contoso2.com
+ Specify your authentication redirection endpoints for your company.
+
+If you previously created a WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies.
+
+## Add a WIP policy
+After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
+
+**To create a configuration item for WIP**
+
+1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
+
+ 
+
+2. Click the **Create Configuration Item** button.
+WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
+ If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
+
+2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
+
+3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
+
+ The API runs and opens a text editor with the app details.
+
+ ``` json
+ {
+ "packageIdentityName": "Microsoft.Office.OneNote",
+ "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+ }
+ ```
+
+4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
+
+ >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+ Your PC and phone must be on the same wireless network.
+
+2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
+
+3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
+
+4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
+
+5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
+
+6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
+
+7. Start the app for which you're looking for the publisher and product name values.
+
+8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
+
+ >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+
+
+If you’re unsure about what to include for the publisher, you can run this PowerShell command:
+
+```ps1
+Get-AppLockerFileInformation -Path "
+
+ Option
+ Manages
+
+
+ All fields left as “*”
+ All files signed by any publisher. (Not recommended.)
+
+
+ Publisher selected
+ All files signed by the named publisher.
+
+
+ Publisher and Product Name selected
+ All files for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, and Binary name selected
+ Any version of the named file or package for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, Binary name, and File Version, and above, selected
+ Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, Binary name, and File Version, And below selected
+ Specified version or older releases of the named file or package for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, Binary name, and File Version, Exactly selected
+ Specified version of the named file or package for the specified product, signed by the named publisher.
+
+ This is the XML file that AppLocker creates for Microsoft Photos.
+
+ ```xml
+
+- Every WIP policy should include policy that defines your enterprise network locations.
+- Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
+
+**To define where your protected apps can find and send enterprise data on you network**
+
+1. Add additional network locations your apps can access by clicking **Add**.
+
+ The **Add or edit corporate network definition** box appears.
+
+2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
+
+ 
+
+
+
+
+3. Add as many locations as you need, and then click **OK**.
+
+ The **Add or edit corporate network definition** box closes.
+
+4. Decide if you want to Windows to look for additional network settings.
+
+ 
+
+ - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
+
+ - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
+
+ - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
+
+5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+
+ 
+
+ After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
+
+ For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
+
+### Choose your optional WIP-related settings
+After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
+
+
+
+**To set your optional settings**
+1. Choose to set any or all of the optional settings:
+
+ - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
+
+ - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box.
+
+ - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
+
+ - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
+
+ - **Yes (recommended).** Turns on the feature and provides the additional protection.
+
+ - **No, or not configured.** Doesn't enable this feature.
+
+ - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
+
+ - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
+
+ - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
+
+ - **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+
+ - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
+
+ - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
+
+2. After you pick all of the settings you want to include, click **Summary**.
+
+### Review your configuration choices in the Summary screen
+After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
+
+**To view the Summary screen**
+- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
+
+ 
+
+ A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
+
+
+## Deploy the WIP policy
+After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
+- [Operations and Maintenance for Compliance Settings in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=708224)
+- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708225)
+- [How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226)
+
+## Related topics
+- [System Center Configuration Manager and Endpoint Protection (Version 1606)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
+- [TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623)
+- [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)
\ No newline at end of file
diff --git a/windows/keep-secure/create-wmi-filters-for-the-gpo.md b/windows/keep-secure/create-wmi-filters-for-the-gpo.md
index f4b066d3e1..3cbb5be9a5 100644
--- a/windows/keep-secure/create-wmi-filters-for-the-gpo.md
+++ b/windows/keep-secure/create-wmi-filters-for-the-gpo.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device.
diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
index fdf497e545..6d70cbad2b 100644
--- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
+++ b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
@@ -1,5 +1,5 @@
---
title: Create a Device Guard code integrity policy based on a reference device (Windows 10)
-redirect_url: device-guard-deployment-guide.md
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide
---
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 3974a748e2..c03bc8cfbf 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -90,7 +90,7 @@ The PC must meet the following hardware and software requirements to use Credent
+
+ Network location type
+ Format
+ Description
+
+
+ Enterprise Cloud Resources
+ **With proxy:** contoso.sharepoint.com,proxy.contoso.com|
+
contoso.visualstudio.com,proxy.contoso.comSpecify the cloud resources to be treated as corporate and protected by WIP.
+
+
+ Enterprise Network Domain Names (Required)
+ corp.contoso.com,region.contoso.com
+ Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
+
+
+ Enterprise Proxy Servers
+ proxy.contoso.com:80;proxy2.contoso.com:137
+ Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.
+
+
+ Enterprise Internal Proxy Servers
+ contoso.internalproxy1.com;contoso.internalproxy2.com
+ Specify the proxy servers your devices will go through to reach your cloud resources.
+
+
+ Enterprise IPv4 Range (Required)
+ **Starting IPv4 Address:** 3.4.0.1
+
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
+
+
+ Enterprise IPv6 Range
+ **Starting IPv6 Address:** 2a01:110::
+
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffffSpecify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
+
+
+ Neutral Resources
+ sts.contoso.com,sts.contoso2.com
+ Specify your authentication redirection endpoints for your company.
+ TPM 2.0
-
@@ -109,7 +109,11 @@ The PC must meet the following hardware and software requirements to use Credent
Windows 10 version 1511
+Windows 10 version 1511 or later
TPM 2.0 or TPM 1.2
+
+
@@ -139,14 +143,14 @@ If you would like to add Credential Guard to an image, you can do this by adding
### Add the virtualization-based security features
First, you must add the virtualization-based security features. You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
-> **Note:** If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
+> [!NOTE]
+> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
**Add the virtualization-based security features by using Programs and Features**
1. Open the Programs and Features control panel.
2. Click **Turn Windows feature on or off**.
-3. Select the **Isolated User Mode** check box.
-4. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
-5. Click **OK**.
+3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
+4. Click **OK**.
**Add the virtualization-based security features to an offline image by using DISM**
1. Open an elevated command prompt.
@@ -154,12 +158,15 @@ First, you must add the virtualization-based security features. You can do this
``` syntax
dism /image:
+Hyper-V Hypervisor (shown in Figure 1).
+
+- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
+Hyper-V Hypervisor and Isolated User Mode (not shown).
> **Note** You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, see [Protect derived domain credentials with Credential Guard](credential-guard.md).
-Figure 1. Enable operating system features for VBS
+Figure 1. Enable operating system feature for VBS
-After you enable these features, you can configure any additional hardware-based security features you want. The following sections provide more information:
+After you enable the feature or features, you can configure any additional hardware-based security features you want. The following sections provide more information:
- [Enable Unified Extensible Firmware Interface Secure Boot](#enable-unified-extensible-firmware-interface-secure-boot)
- [Enable virtualization-based security for kernel-mode code integrity](#enable-virtualization-based-security-for-kernel-mode-code-integrity)
@@ -44,7 +50,7 @@ After you enable these features, you can configure any additional hardware-based
Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10.
-> **Note** There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include input/output memory management units (IOMMUs). Protection against driver-based attacks is provided only on systems that have IOMMUs and that have DMA protection enabled.
+> **Note** There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include input/output memory management units (IOMMUs). Protection against driver-based attacks is provided only on systems that have IOMMUs and that have DMA protection enabled. For more information about how IOMMUs help protect against DMA attacks, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
@@ -52,9 +58,9 @@ Before you begin this process, verify that the target device meets the hardware
3. Set the **RequirePlatformSecurityFeatures DWORD** value as appropriate:
- - Set this value to **1** to enable the **Secure Boot** option.
-
- - Set this value to **2** to enable the **Secure Boot with DMA Protection** option.
+ | **With Windows 10, version 1607,
or Windows Server 2016** | **With an earlier version of Windows 10,
or Windows Server 2016 Technical Preview 5 or earlier** |
+ | ---------------- | ---------------- |
+ | **1** enables the **Secure Boot** option
**3** enables the **Secure Boot and DMA protection** option | **1** enables the **Secure Boot** option
**2** enables the **Secure Boot and DMA protection** option |
4. Restart the client computer.
@@ -80,11 +86,11 @@ Unfortunately, it would be time consuming to perform these steps manually on eve
Figure 6. Enable VBS
-5. Select the **Enabled** option, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list.
+5. Select the **Enabled** button, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list.
- Figure 7. Enable Secure Boot
+ Figure 7. Enable Secure Boot (in Windows 10, version 1607)
> **Note** Device Guard Secure Boot is maximized when combined with DMA protection. If your hardware contains the IOMMUs required for DMA protection, be sure to select the **Secure Boot and DMA Protection** platform security level. If your hardware does not contain IOMMUs, there are several mitigations provided by leveraging Secure Boot without DMA Protection.
@@ -102,7 +108,11 @@ Before you begin this process, verify that the desired computer meets the hardwa
**To configure virtualization-based protection of KMCI manually:**
-1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
+1. Navigate to the appropriate registry subkey:
+
+ - With Windows 10, version 1607, or Windows Server 2016:
**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios**
+
+ - With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard**
2. Set the **HypervisorEnforcedCodeIntegrity DWORD** value to **1**.
@@ -130,11 +140,15 @@ It would be time consuming to perform these steps manually on every protected co
Figure 3. Enable VBS
-5. Select the **Enabled** option, and then select the **Enable Virtualization Based Protection of Code Integrity** check box.
+5. Select the **Enabled** button, and then for **Virtualization Based Protection of Code Integrity**, select the appropriate option:
+
+ - With Windows 10, version 1607 or Windows Server 2016, choose an enabled option:
For an initial deployment or test deployment, we recommend **Enabled without UEFI lock**.
When your deployment is stable in your environment, we recommend changing to **Enabled with UEFI lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
+
+ - With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
Select the **Enable Virtualization Based Protection of Code Integrity** check box.
- Figure 4. Enable VBS of KMCI
+ Figure 4. Enable VBS of KMCI (in Windows 10, version 1607)
6. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. With this setting configured, the VBS of the KMCI will take effect upon restart.
@@ -176,7 +190,12 @@ Table 1. Win32\_DeviceGuard properties
InstanceIdentifier
@@ -188,10 +207,15 @@ Table 1. Win32\_DeviceGuard properties
This field describes the required security properties to enable virtualization-based security.
SecurityServicesConfigured
diff --git a/windows/keep-secure/deploy-edp-policy-using-intune.md b/windows/keep-secure/deploy-edp-policy-using-intune.md
index 7b23a44cf2..c9528077e0 100644
--- a/windows/keep-secure/deploy-edp-policy-using-intune.md
+++ b/windows/keep-secure/deploy-edp-policy-using-intune.md
@@ -1,50 +1,5 @@
---
title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
description: After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices.
-ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
-keywords: EDP, Enterprise Data Protection, Intune
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Deploy your enterprise data protection (EDP) policy using Microsoft Intune
-**Applies to:**
-
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
-
-**To deploy your EDP policy**
-
-1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
-
- 
-
-2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
+System Center 2012 R2 Endpoint Protection
System Center 2012 Configuration Manager
System Center 2012 Configuration Manager SP1
System Center 2012 Configuration Manager SP2
System Center 2012 R2 Configuration Manager
System Center 2012 Endpoint Protection SP1
System Center 2012 Endpoint Protection
System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
+
+
+***Use PUA audit mode in SCCM***
+
+You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives.
+
+1. Open PowerShell as Administrator
+
+ a. Click **Start**, type **powershell**, and press **Enter**.
+
+ b. Click **Windows PowerShell** to open the interface.
+
+ > [!NOTE]
+ > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+
+2. Enter the PowerShell command:
+
+ ```text
+ et-mpPreference -puaprotection 2
+ ```
+> [!NOTE]
+> PUA events are reported in the Windows Event Viewer and not in SCCM.
+
+
+***Configure PUA in Intune***
+
+ PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
+
+
+ ***Use PUA audit mode in Intune***
+
+ You can detect PUA without blocking them from your client. Gain insights into what can be blocked.
+
+**View PUA events**
+
+PUA events are reported in the Windows Event Viewer and not in SCCM or Intune. To view PUA events:
+
+1. Open **Event Viewer**.
+2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
+3. Double-click on **Operational**.
+4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
+
+You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
+
+
+**What PUA notifications look like**
+
+When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
+
+
+
+To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
+
+
+
+**PUA threat file-naming convention**
+
+When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
+
+**PUA blocking conditions**
+
+PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
+* The file is being scanned from the browser
+* The file has [Mark of the Web](https://msdn.microsoft.com/en-us/library/ms537628%28v=vs.85%29.aspx) set
+* The file is in the %downloads% folder
+* Or if the file in the %temp% folder
diff --git a/windows/keep-secure/encryption-zone-gpos.md b/windows/keep-secure/encryption-zone-gpos.md
index dcb49121a4..357f2eebfc 100644
--- a/windows/keep-secure/encryption-zone-gpos.md
+++ b/windows/keep-secure/encryption-zone-gpos.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section.
diff --git a/windows/keep-secure/encryption-zone.md b/windows/keep-secure/encryption-zone.md
index f6fd2aacd4..7e59ef31e3 100644
--- a/windows/keep-secure/encryption-zone.md
+++ b/windows/keep-secure/encryption-zone.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices.
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md
index bf8d546f56..c152dca1e5 100644
--- a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md
+++ b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md
@@ -1,89 +1,5 @@
---
title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10)
description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
-ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
-keywords: EDP, Enterprise Data Protection
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# List of enlightened Microsoft apps for use with enterprise data protection (EDP)
-
-**Applies to:**
-
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list.
-
-## Enlightened versus unenlightened apps
-Apps can be enlightened (policy-aware) or unenlightened (policy unaware).
-
-- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
-
-- **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
-
- - Windows Desktop shows it as always running in enterprise mode.
-
- - Windows **Save As** experiences only allow you to save your files as enterprise.
-
-## List of enlightened Microsoft apps
-Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
-
-- Microsoft Edge
-
-- Internet Explorer 11
-
-- Microsoft People
-
-- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
-
-- Microsoft Photos
-
-- Microsoft OneDrive
-
-- Groove Music
-
-- Notepad
-
-- Microsoft Paint
-
-- Microsoft Movies & TV
-
-- Microsoft Messaging
-
-## Adding enlightened Microsoft apps to the Protected Apps list
-You can add any or all of the enlightened Microsoft apps to your Protected Apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
-
-|Product name |App info |
-|-------------|---------|
-|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.MicrosoftEdge
**App Type:** Universal app |
-|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** iexplore.exe
**App Type:** Desktop app |
-|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.People
**App Type:** Universal app |
-|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Word
**App Type:** Universal app |
-|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Excel
**App Type:** Universal app |
-|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.PowerPoint
**App Type:** Universal app |
-|OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.OneNote
**App Type:** Universal app |
-|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.windowscommunicationsapps
**App Type:** Universal app |
-|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Windows.Photos
**App Type:** Universal app |
-|Microsoft OneDrive |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.microsoftskydrive
**App Type:** Universal app |
-|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneMusic
**App Type:** Universal app |
-|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** notepad.exe
**App Type:** Desktop app |
-|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** mspaint.exe
**App Type:** Desktop app |
-|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneVideo
**App Type:** Universal app |
-|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app |
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip
+---
\ No newline at end of file
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
new file mode 100644
index 0000000000..33d2044176
--- /dev/null
+++ b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
@@ -0,0 +1,77 @@
+---
+title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
+description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
+ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+---
+
+# List of enlightened Microsoft apps for use with Windows Information Protection(WIP)
+
+**Applies to:**
+
+- Windows 10, version 6017
+- Windows 10 Mobile
+
+Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
+
+## Enlightened versus unenlightened apps
+Apps can be enlightened (policy-aware) or unenlightened (policy-unaware).
+
+- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
+
+- **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
+
+ - Windows Desktop shows it as always running in enterprise mode.
+
+ - Windows **Save As** experiences only allow you to save your files as enterprise.
+
+## List of enlightened Microsoft apps
+Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
+
+- Microsoft Edge
+
+- Internet Explorer 11
+
+- Microsoft People
+
+- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
+
+- Microsoft Photos
+
+- Microsoft OneDrive
+
+- Groove Music
+
+- Notepad
+
+- Microsoft Paint
+
+- Microsoft Movies & TV
+
+- Microsoft Messaging
+
+## Adding enlightened Microsoft apps to the allowed apps list
+You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
+
+|Product name |App info |
+|-------------|---------|
+|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.MicrosoftEdge
**App Type:** Universal app |
+|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** iexplore.exe
**App Type:** Desktop app |
+|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.People
**App Type:** Universal app |
+|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Word
**App Type:** Universal app |
+|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Excel
**App Type:** Universal app |
+|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.PowerPoint
**App Type:** Universal app |
+|OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.OneNote
**App Type:** Universal app |
+|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.windowscommunicationsapps
**App Type:** Universal app |
+|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Windows.Photos
**App Type:** Universal app |
+|Microsoft OneDrive |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.microsoftskydrive
**App Type:** Universal app |
+|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneMusic
**App Type:** Universal app |
+|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** notepad.exe
**App Type:** Desktop app |
+|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** mspaint.exe
**App Type:** Desktop app |
+|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneVideo
**App Type:** Universal app |
+|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app |
\ No newline at end of file
diff --git a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md
index 35a8444e6e..c7fe4f7637 100644
--- a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md
+++ b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization.
diff --git a/windows/keep-secure/event-4706.md b/windows/keep-secure/event-4706.md
index 3eb6bdda15..936468b4c3 100644
--- a/windows/keep-secure/event-4706.md
+++ b/windows/keep-secure/event-4706.md
@@ -127,13 +127,13 @@ This event is generated only on domain controllers.
| 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. |
| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. |
| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx). |
-| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
-| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
-| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. |
-| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
+| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).
Only evaluated on TRUST\_TYPE\_MIT |
-| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. |
-| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016 Technical Preview
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
+| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
+| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust:
diff --git a/windows/keep-secure/event-4716.md b/windows/keep-secure/event-4716.md
index 8140c94b16..65ea86275d 100644
--- a/windows/keep-secure/event-4716.md
+++ b/windows/keep-secure/event-4716.md
@@ -127,13 +127,13 @@ This event is generated only on domain controllers.
| 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. |
| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. |
| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx). |
-| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
-| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
-| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. |
-| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
+| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).
Only evaluated on TRUST\_TYPE\_MIT |
-| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. |
-| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016 Technical Preview
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
+| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
+| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust:
diff --git a/windows/keep-secure/event-4739.md b/windows/keep-secure/event-4739.md
index 8b692f1ea3..44897f5f13 100644
--- a/windows/keep-secure/event-4739.md
+++ b/windows/keep-secure/event-4739.md
@@ -165,14 +165,14 @@ This event generates when one of the following changes was made to local compute
| Value | Identifier | Domain controller operating systems that are allowed in the domain |
|-------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0 | DS\_BEHAVIOR\_WIN2000 | Windows 2000 Server operating system
Windows Server 2003 operating system
Windows Server 2008 operating system
Windows Server 2008 R2 operating system
Windows Server 2012 operating system
Windows Server 2012 R2 operating system
Windows Server 2016 Technical Preview operating system |
-| 1 | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview |
-| 2 | DS\_BEHAVIOR\_WIN2003 | Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview |
-| 3 | DS\_BEHAVIOR\_WIN2008 | Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview |
-| 4 | DS\_BEHAVIOR\_WIN2008R2 | Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview |
-| 5 | DS\_BEHAVIOR\_WIN2012 | Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview |
-| 6 | DS\_BEHAVIOR\_WIN2012R2 | Windows Server 2012 R2
Windows Server 2016 Technical Preview |
-| 7 | DS\_BEHAVIOR\_WINTHRESHOLD | Windows Server 2016 Technical Preview |
+| 0 | DS\_BEHAVIOR\_WIN2000 | Windows 2000 Server operating system
Windows Server 2003 operating system
Windows Server 2008 operating system
Windows Server 2008 R2 operating system
Windows Server 2012 operating system
Windows Server 2012 R2 operating system
Windows Server 2016 operating system |
+| 1 | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 |
+| 2 | DS\_BEHAVIOR\_WIN2003 | Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 |
+| 3 | DS\_BEHAVIOR\_WIN2008 | Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 |
+| 4 | DS\_BEHAVIOR\_WIN2008R2 | Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 |
+| 5 | DS\_BEHAVIOR\_WIN2012 | Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 |
+| 6 | DS\_BEHAVIOR\_WIN2012R2 | Windows Server 2012 R2
Windows Server 2016 |
+| 7 | DS\_BEHAVIOR\_WINTHRESHOLD | Windows Server 2016 |
- **OEM Information** \[Type = UnicodeString\]: there is no information about this field in this document.
diff --git a/windows/keep-secure/exempt-icmp-from-authentication.md b/windows/keep-secure/exempt-icmp-from-authentication.md
index a60e483753..21100a9674 100644
--- a/windows/keep-secure/exempt-icmp-from-authentication.md
+++ b/windows/keep-secure/exempt-icmp-from-authentication.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol.
diff --git a/windows/keep-secure/exemption-list.md b/windows/keep-secure/exemption-list.md
index 3ebf7a465b..fc0fd3b704 100644
--- a/windows/keep-secure/exemption-list.md
+++ b/windows/keep-secure/exemption-list.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic.
diff --git a/windows/keep-secure/firewall-gpos.md b/windows/keep-secure/firewall-gpos.md
index b264a38993..229cb2a3e0 100644
--- a/windows/keep-secure/firewall-gpos.md
+++ b/windows/keep-secure/firewall-gpos.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters.
diff --git a/windows/keep-secure/firewall-policy-design-example.md b/windows/keep-secure/firewall-policy-design-example.md
index 41310314aa..8dad2b48f7 100644
--- a/windows/keep-secure/firewall-policy-design-example.md
+++ b/windows/keep-secure/firewall-policy-design-example.md
@@ -13,13 +13,13 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
In this example, the fictitious company Woodgrove Bank is a financial services institution.
Woodgrove Bank has an Active Directory domain that provides Group Policy-based management for all their Windows devices. The Active Directory domain controllers also host Domain Name System (DNS) for host name resolution. Separate devices host Windows Internet Name Service (WINS) for network basic input/output system (NetBIOS) name resolution. A set of devices that are running UNIX provide the Dynamic Host Configuration Protocol (DHCP) services for automatic IP addressing.
-Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016 Technical Preview. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems.
+Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems.
A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing — they do not store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server.
@@ -60,7 +60,7 @@ Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy t
- Client devices that run Windows 10, Windows 8, or Windows 7
-- WGBank front-end servers that run Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them)
+- WGBank front-end servers that run Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them)
- WGBank partner servers that run Windows Server 2008
diff --git a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md
index 33727fc9f4..0c507fdc73 100644
--- a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed:
diff --git a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md
index 65555cc782..67dcea5661 100644
--- a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Perhaps the most important aspect of planning for Windows Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Firewall with Advanced Security solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:
diff --git a/windows/keep-secure/gathering-information-about-your-devices.md b/windows/keep-secure/gathering-information-about-your-devices.md
index 1f3b73fa21..7f4692a95a 100644
--- a/windows/keep-secure/gathering-information-about-your-devices.md
+++ b/windows/keep-secure/gathering-information-about-your-devices.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned.
diff --git a/windows/keep-secure/gathering-other-relevant-information.md b/windows/keep-secure/gathering-other-relevant-information.md
index ca8d396fcb..83ee00960a 100644
--- a/windows/keep-secure/gathering-other-relevant-information.md
+++ b/windows/keep-secure/gathering-other-relevant-information.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Firewall with Advanced Security policies in your organization.
diff --git a/windows/keep-secure/gathering-the-information-you-need.md b/windows/keep-secure/gathering-the-information-you-need.md
index 3e8a62b0cc..a11fbf67c8 100644
--- a/windows/keep-secure/gathering-the-information-you-need.md
+++ b/windows/keep-secure/gathering-the-information-you-need.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
index 1a19780713..fe5431ac69 100644
--- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
@@ -183,7 +183,7 @@ In Endpoint Protection, you can use the advanced scanning options to configure a
## Related topics
-[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
+- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md
index 542e85c56f..88a3f076b6 100644
--- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md
+++ b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md
@@ -1,4 +1,4 @@
---
title: Get apps to run on Device Guard-protected devices (Windows 10)
-redirect_url: device-guard-deployment-guide.md
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide
---
diff --git a/windows/keep-secure/gpo-domiso-boundary.md b/windows/keep-secure/gpo-domiso-boundary.md
index 22db5273b8..00fb043b7a 100644
--- a/windows/keep-secure/gpo-domiso-boundary.md
+++ b/windows/keep-secure/gpo-domiso-boundary.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
diff --git a/windows/keep-secure/gpo-domiso-firewall.md b/windows/keep-secure/gpo-domiso-firewall.md
index 226c9deac1..d1349941e1 100644
--- a/windows/keep-secure/gpo-domiso-firewall.md
+++ b/windows/keep-secure/gpo-domiso-firewall.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.
diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md
index 0f2faadb9e..a6ab80ad09 100644
--- a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md
+++ b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.
diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md
index fb984adf5f..91cd4e3890 100644
--- a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md
+++ b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008.
diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md
index fd1ffe2dcd..cfd70be3cc 100644
--- a/windows/keep-secure/guidance-and-best-practices-edp.md
+++ b/windows/keep-secure/guidance-and-best-practices-edp.md
@@ -1,39 +1,5 @@
---
title: General guidance and best practices for enterprise data protection (EDP) (Windows 10)
description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP).
-ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
-keywords: EDP, Enterprise Data Protection
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# General guidance and best practices for enterprise data protection (EDP)
-**Applies to:**
-
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-This section includes info about the enlightened Microsoft apps, including how to add them to your **Protected Apps** list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP).
-
-## In this section
-|Topic |Description |
-|------|------------|
-|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. |
-|[Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list. |
-|[Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) |We've come up with a list of suggested testing scenarios that you can use to test EDP in your company. |
-
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip
+---
\ No newline at end of file
diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md
new file mode 100644
index 0000000000..28eb875c28
--- /dev/null
+++ b/windows/keep-secure/guidance-and-best-practices-wip.md
@@ -0,0 +1,26 @@
+---
+title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10)
+description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
+ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+---
+
+# General guidance and best practices for Windows Information Protection (WIP)
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
+
+## In this section
+|Topic |Description |
+|------|------------|
+|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as Windows Information Protection (WIP), in your enterprise. |
+|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
+|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |
\ No newline at end of file
diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
index b1adf33fd9..092982bd0a 100644
--- a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+++ b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Correctly identifying your Windows Firewall with Advanced Security deployment goals is essential for the success of your Windows Firewall with Advanced Security design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Firewall with Advanced Security by using an iterative approach. You can take advantage of the predefined Windows Firewall with Advanced Security deployment goals presented in this guide that are relevant to your scenarios.
diff --git a/windows/keep-secure/images/defender/client.png b/windows/keep-secure/images/defender/client.png
new file mode 100644
index 0000000000..4f2118206e
Binary files /dev/null and b/windows/keep-secure/images/defender/client.png differ
diff --git a/windows/keep-secure/images/defender/detection-source.png b/windows/keep-secure/images/defender/detection-source.png
new file mode 100644
index 0000000000..7d471dc22d
Binary files /dev/null and b/windows/keep-secure/images/defender/detection-source.png differ
diff --git a/windows/keep-secure/images/defender/download-wdo.png b/windows/keep-secure/images/defender/download-wdo.png
new file mode 100644
index 0000000000..50d2fc3152
Binary files /dev/null and b/windows/keep-secure/images/defender/download-wdo.png differ
diff --git a/windows/keep-secure/images/defender/enhanced-notifications.png b/windows/keep-secure/images/defender/enhanced-notifications.png
new file mode 100644
index 0000000000..8317458416
Binary files /dev/null and b/windows/keep-secure/images/defender/enhanced-notifications.png differ
diff --git a/windows/keep-secure/images/defender/gp.png b/windows/keep-secure/images/defender/gp.png
new file mode 100644
index 0000000000..8b57c7b45c
Binary files /dev/null and b/windows/keep-secure/images/defender/gp.png differ
diff --git a/windows/keep-secure/images/defender/notification.png b/windows/keep-secure/images/defender/notification.png
new file mode 100644
index 0000000000..cad9f162e9
Binary files /dev/null and b/windows/keep-secure/images/defender/notification.png differ
diff --git a/windows/keep-secure/images/defender/sccm-wdo.png b/windows/keep-secure/images/defender/sccm-wdo.png
new file mode 100644
index 0000000000..8f504b94e1
Binary files /dev/null and b/windows/keep-secure/images/defender/sccm-wdo.png differ
diff --git a/windows/keep-secure/images/defender/settings-wdo.png b/windows/keep-secure/images/defender/settings-wdo.png
new file mode 100644
index 0000000000..23412856b0
Binary files /dev/null and b/windows/keep-secure/images/defender/settings-wdo.png differ
diff --git a/windows/keep-secure/images/defender/ux-config-key.png b/windows/keep-secure/images/defender/ux-config-key.png
new file mode 100644
index 0000000000..3e2d966342
Binary files /dev/null and b/windows/keep-secure/images/defender/ux-config-key.png differ
diff --git a/windows/keep-secure/images/defender/ux-uilockdown-key.png b/windows/keep-secure/images/defender/ux-uilockdown-key.png
new file mode 100644
index 0000000000..86d1b4b249
Binary files /dev/null and b/windows/keep-secure/images/defender/ux-uilockdown-key.png differ
diff --git a/windows/keep-secure/images/detection-source.png b/windows/keep-secure/images/detection-source.png
new file mode 100644
index 0000000000..7d471dc22d
Binary files /dev/null and b/windows/keep-secure/images/detection-source.png differ
diff --git a/windows/keep-secure/images/device-guard-gp.png b/windows/keep-secure/images/device-guard-gp.png
index 0c2c1c9d4f..169d2f245b 100644
Binary files a/windows/keep-secure/images/device-guard-gp.png and b/windows/keep-secure/images/device-guard-gp.png differ
diff --git a/windows/keep-secure/images/dg-fig1-enableos.png b/windows/keep-secure/images/dg-fig1-enableos.png
index cefb124344..a114c520de 100644
Binary files a/windows/keep-secure/images/dg-fig1-enableos.png and b/windows/keep-secure/images/dg-fig1-enableos.png differ
diff --git a/windows/keep-secure/images/dg-fig11-dgproperties.png b/windows/keep-secure/images/dg-fig11-dgproperties.png
index ce16705d0f..3c93b2b948 100644
Binary files a/windows/keep-secure/images/dg-fig11-dgproperties.png and b/windows/keep-secure/images/dg-fig11-dgproperties.png differ
diff --git a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png
index bf0d55dd7f..ddc2158a8a 100644
Binary files a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png and b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png differ
diff --git a/windows/keep-secure/images/intune-vpn-wipmodeid.png b/windows/keep-secure/images/intune-vpn-wipmodeid.png
new file mode 100644
index 0000000000..80852af30d
Binary files /dev/null and b/windows/keep-secure/images/intune-vpn-wipmodeid.png differ
diff --git a/windows/keep-secure/images/phone-signin-device-select.png b/windows/keep-secure/images/phone-signin-device-select.png
new file mode 100644
index 0000000000..a002efa427
Binary files /dev/null and b/windows/keep-secure/images/phone-signin-device-select.png differ
diff --git a/windows/keep-secure/images/phone-signin-menu.png b/windows/keep-secure/images/phone-signin-menu.png
new file mode 100644
index 0000000000..4672433344
Binary files /dev/null and b/windows/keep-secure/images/phone-signin-menu.png differ
diff --git a/windows/keep-secure/images/phone-signin-settings.png b/windows/keep-secure/images/phone-signin-settings.png
new file mode 100644
index 0000000000..e0ae827426
Binary files /dev/null and b/windows/keep-secure/images/phone-signin-settings.png differ
diff --git a/windows/keep-secure/images/pua1.png b/windows/keep-secure/images/pua1.png
new file mode 100644
index 0000000000..f3d96a245a
Binary files /dev/null and b/windows/keep-secure/images/pua1.png differ
diff --git a/windows/keep-secure/images/pua2.png b/windows/keep-secure/images/pua2.png
new file mode 100644
index 0000000000..72ffa10aa5
Binary files /dev/null and b/windows/keep-secure/images/pua2.png differ
diff --git a/windows/keep-secure/images/remote-credential-guard-gp.png b/windows/keep-secure/images/remote-credential-guard-gp.png
new file mode 100644
index 0000000000..98c97825fa
Binary files /dev/null and b/windows/keep-secure/images/remote-credential-guard-gp.png differ
diff --git a/windows/keep-secure/images/remote-credential-guard.png b/windows/keep-secure/images/remote-credential-guard.png
new file mode 100644
index 0000000000..d8e3598dc9
Binary files /dev/null and b/windows/keep-secure/images/remote-credential-guard.png differ
diff --git a/windows/keep-secure/images/edp-intune-app-reconfig-warning.png b/windows/keep-secure/images/wip-intune-app-reconfig-warning.png
similarity index 100%
rename from windows/keep-secure/images/edp-intune-app-reconfig-warning.png
rename to windows/keep-secure/images/wip-intune-app-reconfig-warning.png
diff --git a/windows/keep-secure/images/edp-sccm-add-network-domain.png b/windows/keep-secure/images/wip-sccm-add-network-domain.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-add-network-domain.png
rename to windows/keep-secure/images/wip-sccm-add-network-domain.png
diff --git a/windows/keep-secure/images/edp-sccm-addapplockerfile.png b/windows/keep-secure/images/wip-sccm-addapplockerfile.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-addapplockerfile.png
rename to windows/keep-secure/images/wip-sccm-addapplockerfile.png
diff --git a/windows/keep-secure/images/edp-sccm-adddesktopapp.png b/windows/keep-secure/images/wip-sccm-adddesktopapp.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-adddesktopapp.png
rename to windows/keep-secure/images/wip-sccm-adddesktopapp.png
diff --git a/windows/keep-secure/images/edp-sccm-additionalsettings.png b/windows/keep-secure/images/wip-sccm-additionalsettings.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-additionalsettings.png
rename to windows/keep-secure/images/wip-sccm-additionalsettings.png
diff --git a/windows/keep-secure/images/edp-sccm-addpolicy.png b/windows/keep-secure/images/wip-sccm-addpolicy.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-addpolicy.png
rename to windows/keep-secure/images/wip-sccm-addpolicy.png
diff --git a/windows/keep-secure/images/edp-sccm-adduniversalapp.png b/windows/keep-secure/images/wip-sccm-adduniversalapp.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-adduniversalapp.png
rename to windows/keep-secure/images/wip-sccm-adduniversalapp.png
diff --git a/windows/keep-secure/images/edp-sccm-appmgmt.png b/windows/keep-secure/images/wip-sccm-appmgmt.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-appmgmt.png
rename to windows/keep-secure/images/wip-sccm-appmgmt.png
diff --git a/windows/keep-secure/images/edp-sccm-corp-identity.png b/windows/keep-secure/images/wip-sccm-corp-identity.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-corp-identity.png
rename to windows/keep-secure/images/wip-sccm-corp-identity.png
diff --git a/windows/keep-secure/images/edp-sccm-devicesettings.png b/windows/keep-secure/images/wip-sccm-devicesettings.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-devicesettings.png
rename to windows/keep-secure/images/wip-sccm-devicesettings.png
diff --git a/windows/keep-secure/images/edp-sccm-dra.png b/windows/keep-secure/images/wip-sccm-dra.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-dra.png
rename to windows/keep-secure/images/wip-sccm-dra.png
diff --git a/windows/keep-secure/images/edp-sccm-generalscreen.png b/windows/keep-secure/images/wip-sccm-generalscreen.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-generalscreen.png
rename to windows/keep-secure/images/wip-sccm-generalscreen.png
diff --git a/windows/keep-secure/images/edp-sccm-network-domain.png b/windows/keep-secure/images/wip-sccm-network-domain.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-network-domain.png
rename to windows/keep-secure/images/wip-sccm-network-domain.png
diff --git a/windows/keep-secure/images/edp-sccm-optsettings.png b/windows/keep-secure/images/wip-sccm-optsettings.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-optsettings.png
rename to windows/keep-secure/images/wip-sccm-optsettings.png
diff --git a/windows/keep-secure/images/edp-sccm-summaryscreen.png b/windows/keep-secure/images/wip-sccm-summaryscreen.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-summaryscreen.png
rename to windows/keep-secure/images/wip-sccm-summaryscreen.png
diff --git a/windows/keep-secure/images/edp-sccm-supportedplat.png b/windows/keep-secure/images/wip-sccm-supportedplat.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-supportedplat.png
rename to windows/keep-secure/images/wip-sccm-supportedplat.png
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index 1680e13ed9..4f2de5952b 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -1,6 +1,6 @@
---
-title: Implement Microsoft Passport in your organization (Windows 10)
-description: You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10.
+title: Implement Windows Hello in your organization (Windows 10)
+description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
keywords: identity, PIN, biometric, Hello
ms.prod: w10
@@ -8,41 +8,44 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
+localizationpriority: high
---
-# Implement Microsoft Passport in your organization
+# Implement Windows Hello for Business in your organization
**Applies to**
- Windows 10
- Windows 10 Mobile
-You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10.
-> **Important:** The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. Use **Microsoft Passport for Work** policy settings to manage PINs.
+You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
+> **Important:** The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. Use **Windows Hello for Business** policy settings to manage PINs.
## Group Policy settings for Passport
-The following table lists the Group Policy settings that you can configure for Passport use in your workplace. These policy settings are available in **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Passport for Work**.
+The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
+
+
## MDM policy settings for Passport
-The following table lists the MDM policy settings that you can configure for Passport use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070).
+The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070).
Policy
Options
-
Use Microsoft Passport for Work
+Use Windows Hello for Business
-
Use a hardware security device
-
@@ -122,23 +125,23 @@ The following table lists the Group Policy settings that you can configure for P
-
Remote Passport
+Phone Sign-in
-
-
@@ -287,7 +290,7 @@ If policy is not configured to explicitly require letters or special characters,
## Prerequisites
-You’ll need this software to set Microsoft Passport policies in your enterprise.
+You’ll need this software to set Windows Hello for Business policies in your enterprise.
@@ -164,8 +167,8 @@ The following table lists the MDM policy settings that you can configure for Pas
Policy
@@ -152,9 +155,9 @@ The following table lists the MDM policy settings that you can configure for Pas
Device
True
-
Device
False
-
@@ -176,8 +179,8 @@ The following table lists the MDM policy settings that you can configure for Pas
Device
False
-
@@ -276,8 +279,8 @@ The following table lists the MDM policy settings that you can configure for Pas
Device or user
False
-
-Configuration Manager and MDM provide the ability to manage Passport policy and to deploy and manage certificates protected by Passport.
-Azure AD provides the ability to register devices with your enterprise and to provision Passport for organization accounts.
-Active Directory provides the ability to authorize users and devices using keys protected by Passport if domain controllers are running Windows 10 and the Microsoft Passport provisioning service in Windows 10 AD FS.
+Configuration Manager and MDM provide the ability to manage Windows Hello for Business policy and to deploy and manage certificates protected by Windows Hello for Business.
-## Passport for BYOD
+Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
-Passport can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Passport PIN for unlocking the device and a separate work PIN for access to work resources.
-The work PIN is managed using the same Passport policies that you can use to manage Passport on organization owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244).
+Active Directory provides the ability to authorize users and devices using keys protected by Windows Hello for Business if domain controllers are running Windows 10 and the Windows Hello for Business provisioning service in Windows 10 AD FS.
+
+## Windows Hello for BYOD
+
+Windows Hello can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Windows Hello PIN for unlocking the device and a separate work PIN for access to work resources.
+The work PIN is managed using the same Windows Hello for Business policies that you can use to manage Windows Hello for Business on organization-owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244).
## Related topics
@@ -358,14 +363,17 @@ The work PIN is managed using the same Passport policies that you can use to man
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-[Event ID 300 - Passport successfully created](passport-event-300.md)
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index 25f0fba560..6099d183c9 100644
--- a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
The following are important factors in the implementation of your Windows Firewall with Advanced Security design plan:
diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
index 08feae0e2e..ab784f1c9f 100644
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@@ -16,20 +16,20 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
| Topic | Description |
| - | - |
-| [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
| [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
-| [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN. |
-| [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) | Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. |
+| [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
+| [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
| [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
-| [Device Guard deployment guide](device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
| [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
-| [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
+| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
+| [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
| [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
| [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
-| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
+| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
+| [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
## Related topics
diff --git a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
index 6bd8e60c5d..575bf12fee 100644
--- a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
+++ b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
+localizationpriority: high
---
# Install digital certificates on Windows 10 Mobile
@@ -22,6 +23,10 @@ Certificates in Windows 10 Mobile are primarily used for the following purposes
- To authenticate a user to a reverse proxy server that is used to enable Microsoft Exchange ActiveSync (EAS) for email.
- For installation and licensing of applications (from the Windows Phone Store or a custom company distribution site).
+
+**Warning**
+In Windows 10, Version 1607, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. [Learn more about this known issue in Version 1607](http://go.microsoft.com/fwlink/p/?LinkId=786764)
+
## Install certificates using Microsoft Edge
A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue, the certificate is installed on the Windows 10 Mobile device.
diff --git a/windows/keep-secure/isolated-domain-gpos.md b/windows/keep-secure/isolated-domain-gpos.md
index b7f6c3b921..745da6642b 100644
--- a/windows/keep-secure/isolated-domain-gpos.md
+++ b/windows/keep-secure/isolated-domain-gpos.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section.
diff --git a/windows/keep-secure/isolated-domain.md b/windows/keep-secure/isolated-domain.md
index 3d23484bf9..43e1461c41 100644
--- a/windows/keep-secure/isolated-domain.md
+++ b/windows/keep-secure/isolated-domain.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone.
diff --git a/windows/keep-secure/isolating-apps-on-your-network.md b/windows/keep-secure/isolating-apps-on-your-network.md
index 09367196c5..c8adf77620 100644
--- a/windows/keep-secure/isolating-apps-on-your-network.md
+++ b/windows/keep-secure/isolating-apps-on-your-network.md
@@ -12,7 +12,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
When you add new devices to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
diff --git a/windows/keep-secure/link-the-gpo-to-the-domain.md b/windows/keep-secure/link-the-gpo-to-the-domain.md
index ab224211e6..ba14d60b0e 100644
--- a/windows/keep-secure/link-the-gpo-to-the-domain.md
+++ b/windows/keep-secure/link-the-gpo-to-the-domain.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices.
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
index dccabd045e..b510194d38 100644
--- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@@ -1,73 +1,88 @@
---
-title: Manage identity verification using Microsoft Passport (Windows 10)
-description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.
+title: Manage identity verification using Windows Hello for Business (Windows 10)
+description: In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
-keywords: identity, PIN, biometric, Hello
+keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerMS
+localizationpriority: high
---
-# Manage identity verification using Microsoft Passport
+# Manage identity verification using Windows Hello for Business
**Applies to**
- Windows 10
- Windows 10 Mobile
-In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.
+In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
-Passport addresses the following problems with passwords:
+> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+
+Hello addresses the following problems with passwords:
- Passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials.
- Passwords can be subject to [replay attacks](http://go.microsoft.com/fwlink/p/?LinkId=615673).
- Users can inadvertently expose their passwords due to [phishing attacks](http://go.microsoft.com/fwlink/p/?LinkId=615674).
-Passport lets users authenticate to:
+Hello lets users authenticate to:
- a Microsoft account.
- an Active Directory account.
- a Microsoft Azure Active Directory (AD) account.
- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication
-After an initial two-step verification of the user during Passport enrollment, Passport is set up on the user's device and the user is asked to set a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify their identity. Windows then uses Passport to authenticate users and help them to access protected resources and services.
+After an initial two-step verification of the user during enrollment, Hello is set up on the user's device and the user is asked to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Hello to authenticate users and help them to access protected resources and services.
-As an administrator in an enterprise or educational organization, you can create policies to manage Passport use on Windows 10-based devices that connect to your organization.
+As an administrator in an enterprise or educational organization, you can create policies to manage Hello use on Windows 10-based devices that connect to your organization.
-## Benefits of Microsoft Passport
+
+
+
+## The difference between Windows Hello and Windows Hello for Business
+
+- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Hello provides a layer of protection by being unique to the device on which it is set up, however it is not backed by key-based or certificate-based authentication.
+
+- Windows Hello for Business, which is configured by Group Policy or MDM policy, uses key-based or certificate-based authentication.
+
+## Benefits of Windows Hello
Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
+
You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
-In Windows 10, Passport replaces passwords. The Passport provisioning process creates two cryptographic keys bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Passport enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Passport keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Passport keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Passport key is created in software.
+In Windows 10, Hello replaces passwords. The Hello provisioning process creates two cryptographic keys bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software.
-
+
Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
-Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs.
+Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs.
+
+Hello also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
-Microsoft Passport also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the user’s Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
> **Note:** Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
-## How Microsoft Passport works: key points
-- Passport credentials are based on certificate or asymmetrical key pair. Passport credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
-- Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Microsoft Passport's public key to a user account during the registration step.
+
+## How Windows Hello for Business works: key points
+
+- Hello credentials are based on certificate or asymmetrical key pair. Hello credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
+- Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Hello's public key to a user account during the registration step.
- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
-- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Passport gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
+- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
- Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process.
-- PIN entry and Hello both trigger Windows 10 to verify the user's identity and authenticate using Passport keys or certificates.
-- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use separate containers for keys. Non-Microsoft identity providers can generate keys for their users in the same container as the Microsoft account; however, all keys are separated by identity providers' domains to help ensure user privacy.
-- Certificates are added to the Passport container and are protected by the Passport gesture.
-- Windows Update behavior: After a reboot is required by Windows Update, the last interactive user is automatically signed on without any user gesture and the session is locked so the user's lock screen apps can run.
+- PIN entry and biometric gesture both trigger Windows 10 to verify the user's identity and authenticate using Hello keys or certificates.
+- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
+- Certificates are added to the Hello container and are protected by the Hello gesture.
+
## Comparing key-based and certificate-based authentication
-Passport can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Passport. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Passport.
+Windows Hello for Business can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Hello.
Hardware-based keys, which are generated by TPM, provide the highest level of assurance. When the TPM is manufactured, an Endorsement Key (EK) certificate is resident in the TPM. This EK certificate creates a root trust for all other keys that are generated on this TPM.
-EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Passport keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
+EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Hello keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
-When identity providers such as Active Directory or Azure AD enroll a certificate in Passport, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
+When identity providers such as Active Directory or Azure AD enroll a certificate in Hello, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
## Learn more
@@ -89,15 +104,19 @@ When identity providers such as Active Directory or Azure AD enroll a certificat
## Related topics
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-[Event ID 300 - Passport successfully created](passport-event-300.md)
-
\ No newline at end of file
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+
diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md
index 56b79bc283..97d8e1c456 100644
--- a/windows/keep-secure/mandatory-settings-for-wip.md
+++ b/windows/keep-secure/mandatory-settings-for-wip.md
@@ -11,22 +11,20 @@ ms.pagetype: security
# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
**Applies to:**
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+- Windows 10, version 1607
+- Windows 10 Mobile
This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
>**Important**
-
@@ -308,14 +311,14 @@ You’ll need this software to set Microsoft Passport policies in your enterpris
Microsoft Passport mode
+Windows Hello for Business mode
Azure AD
-Active Directory (AD) on-premises (available with production release of Windows Server 2016 Technical Preview)
-Azure AD/AD hybrid (available with production release of Windows Server 2016 Technical Preview)
+Active Directory (AD) on-premises (available with production release of Windows Server 2016)
+Azure AD/AD hybrid (available with production release of Windows Server 2016)
Key-based authentication
Azure AD subscription
-
-
-All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md), based on the tool you're using in your enterprise.
+All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise.
|Task |Description |
|------------------------------------|--------------------------|
|Add at least one app rule in the **App Rules** area in your WIP policy. |You must have at least one app rule specified in the **App Rules** area of your WIP policy. For more info about where this area is and how to add an app rule, see the **Add individual apps to your Protected App list** section of the policy creation topics.|
-|Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the EDP protection level for your enterprise data** section of the policy creation topics.|
+|Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection level for your enterprise data** section of the policy creation topics.|
|Specify your corporate identity. |You must specify your corporate identity, usually expressed as your primary Internet domain (for example, contoso.com). For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
|Specify your Enterprise Network Domain Names. |You must specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics. |
|Specify your Enterprise IPv4 or IPv6 Ranges. |Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
-|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate for EDP** section of the policy creation topics. |
\ No newline at end of file
+|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate** section of the policy creation topics. |
\ No newline at end of file
diff --git a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
index 3187e17371..49dc1620f6 100644
--- a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+++ b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.
diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md
index ceebe00f0a..dd002d75b8 100644
--- a/windows/keep-secure/microsoft-passport-and-password-changes.md
+++ b/windows/keep-secure/microsoft-passport-and-password-changes.md
@@ -1,12 +1,13 @@
---
-title: Microsoft Passport and password changes (Windows 10)
-description: When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device.
+title: Windows Hello and password changes (Windows 10)
+description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
+localizationpriority: high
---
# Microsoft Passport and password changes
@@ -14,17 +15,17 @@ author: jdeckerMS
- Windows 10
- Windows 10 Mobile
-When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device. You can set up Passport for the same account on multiple devices. If the PIN or biometric is configured as part of a Microsoft Passport for Work, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Microsoft Passport for Work is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Passport.
+When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
## Example
Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account.
Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
-Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Passport on **Device A** knows will be outdated.
-> **Note:** This example also applies to an Active Directory account when [Passport for Work is not implemented](implement-microsoft-passport-in-your-organization.md).
+Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
+> **Note:** This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
-## How to update Passport after you change your password on another device
+## How to update Hello after you change your password on another device
1. When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
2. Click **OK.**
@@ -35,16 +36,19 @@ Suppose instead that you sign in on **Device B** and change your password for yo
## Related topics
-[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-[Event ID 300 - Passport successfully created](passport-event-300.md)
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
index 490c5c9e6e..e99c7d38aa 100644
--- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
+++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
@@ -1,6 +1,6 @@
---
-title: Microsoft Passport errors during PIN creation (Windows 10)
-description: When you set up Microsoft Passport in Windows 10, you may get an error during the Create a work PIN step.
+title: Windows Hello errors during PIN creation (Windows 10)
+description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step.
ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
keywords: PIN, error, create a work PIN
ms.prod: w10
@@ -8,15 +8,16 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
+localizationpriority: high
---
-# Microsoft Passport errors during PIN creation
+# Windows Hello errors during PIN creation
**Applies to**
- Windows 10
- Windows 10 Mobile
-When you set up Microsoft Passport in Windows 10, you may get an error during the **Create a work PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
+When you set up Windows Hello in Windows 10, you may get an error during the **Create a work PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
## Where is the error code?
@@ -221,14 +222,18 @@ For errors listed in this table, contact Microsoft Support for assistance.
## Related topics
-[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-[Event ID 300 - Passport successfully created](passport-event-300.md)
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md
index b78b6f94f7..45548bb40f 100644
--- a/windows/keep-secure/microsoft-passport-guide.md
+++ b/windows/keep-secure/microsoft-passport-guide.md
@@ -101,7 +101,7 @@ Microsoft Passport offers four significant advantages over the current state of
**It’s flexible**
Microsoft Passport offers unprecedented flexibility. Although the format and use of reusable passwords are fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with both biometric identifiers and PINs, so users’ credentials are protected even on devices that don’t support biometrics. Users can even use their phone to release their credentials instead of a PIN or biometric gesture on the main device. Microsoft Passport seamlessly takes advantage of the hardware of the devices in use; as users upgrade to newer devices, Microsoft Passport is ready to use them, and organizations can upgrade existing devices by adding biometric sensors where appropriate.
-Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 Technical Preview domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who don’t currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section).
+Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who don’t currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section).
**It’s standardized**
diff --git a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
index 95ab7cda01..d2ed73907e 100644
--- a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
+++ b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain.
diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md
index f29f5afbb7..420518e4ca 100644
--- a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md
+++ b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC).
diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
index e179647bac..bbecb7b8ad 100644
--- a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security.
diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md
index 2d848ec539..9712af0076 100644
--- a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md
+++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
To open a GPO to Windows Firewall
diff --git a/windows/keep-secure/open-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-windows-firewall-with-advanced-security.md
index cda993d4ad..8f20a73c1c 100644
--- a/windows/keep-secure/open-windows-firewall-with-advanced-security.md
+++ b/windows/keep-secure/open-windows-firewall-with-advanced-security.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This procedure shows you how to open the Windows Firewall with Advanced Security console.
diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md
index abd098560f..74ca414ed7 100644
--- a/windows/keep-secure/overview-create-edp-policy.md
+++ b/windows/keep-secure/overview-create-edp-policy.md
@@ -1,37 +1,5 @@
---
title: Create an enterprise data protection (EDP) policy (Windows 10)
description: Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
-ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Create an enterprise data protection (EDP) policy
-**Applies to:**
-
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
-
-## In this section
-|Topic |Description |
-|------|------------|
-|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
-|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy
+---
\ No newline at end of file
diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/keep-secure/overview-create-wip-policy.md
new file mode 100644
index 0000000000..786a59475d
--- /dev/null
+++ b/windows/keep-secure/overview-create-wip-policy.md
@@ -0,0 +1,25 @@
+---
+title: Create a Windows Information Protection (WIP) policy (Windows 10)
+description: Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+---
+
+# Create a Windows Information Protection (WIP) policy
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+
+## In this section
+|Topic |Description |
+|------|------------|
+|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
\ No newline at end of file
diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md
index 9a7c694ae0..3609eec53d 100644
--- a/windows/keep-secure/passport-event-300.md
+++ b/windows/keep-secure/passport-event-300.md
@@ -1,6 +1,6 @@
---
-title: Event ID 300 - Passport successfully created (Windows 10)
-description: This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD).
+title: Event ID 300 - Windows Hello successfully created (Windows 10)
+description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
keywords: ngc
ms.prod: w10
@@ -8,15 +8,16 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
+localizationpriority: high
---
-# Event ID 300 - Passport successfully created
+# Event ID 300 - Windows Hello successfully created
**Applies to**
- Windows 10
- Windows 10 Mobile
-This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
+This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
## Event details
| | |
@@ -34,9 +35,20 @@ This is a normal condition. No further action is required.
## Related topics
-- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
-- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
-- [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-- [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
-- [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
-- [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
+
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
diff --git a/windows/keep-secure/planning-certificate-based-authentication.md b/windows/keep-secure/planning-certificate-based-authentication.md
index 69e599b812..ab5b21c69b 100644
--- a/windows/keep-secure/planning-certificate-based-authentication.md
+++ b/windows/keep-secure/planning-certificate-based-authentication.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Sometimes a device cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication.
diff --git a/windows/keep-secure/planning-domain-isolation-zones.md b/windows/keep-secure/planning-domain-isolation-zones.md
index 208265eefb..a18fb27051 100644
--- a/windows/keep-secure/planning-domain-isolation-zones.md
+++ b/windows/keep-secure/planning-domain-isolation-zones.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment.
diff --git a/windows/keep-secure/planning-gpo-deployment.md b/windows/keep-secure/planning-gpo-deployment.md
index 050a5550f7..abdff4b8ca 100644
--- a/windows/keep-secure/planning-gpo-deployment.md
+++ b/windows/keep-secure/planning-gpo-deployment.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
You can control which GPOs are applied to devices in Active Directory in a combination of three ways:
diff --git a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md
index fff34a12c7..0718187682 100644
--- a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md
+++ b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
After you have decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan.
diff --git a/windows/keep-secure/planning-isolation-groups-for-the-zones.md b/windows/keep-secure/planning-isolation-groups-for-the-zones.md
index b4f667a50b..0c4488940a 100644
--- a/windows/keep-secure/planning-isolation-groups-for-the-zones.md
+++ b/windows/keep-secure/planning-isolation-groups-for-the-zones.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone.
diff --git a/windows/keep-secure/planning-network-access-groups.md b/windows/keep-secure/planning-network-access-groups.md
index 4d9b002e7c..929c583624 100644
--- a/windows/keep-secure/planning-network-access-groups.md
+++ b/windows/keep-secure/planning-network-access-groups.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required.
diff --git a/windows/keep-secure/planning-server-isolation-zones.md b/windows/keep-secure/planning-server-isolation-zones.md
index 12688b93c9..9995c0e5fc 100644
--- a/windows/keep-secure/planning-server-isolation-zones.md
+++ b/windows/keep-secure/planning-server-isolation-zones.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server.
diff --git a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md
index 4fcbd977dc..fdcf972088 100644
--- a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices.
diff --git a/windows/keep-secure/planning-the-gpos.md b/windows/keep-secure/planning-the-gpos.md
index b22f0497cd..84b3750822 100644
--- a/windows/keep-secure/planning-the-gpos.md
+++ b/windows/keep-secure/planning-the-gpos.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones.
diff --git a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md
index 1801d2a86a..8423e4b94f 100644
--- a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization.
diff --git a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md
index c800eca94d..736612379f 100644
--- a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs.
diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
index d377aafd3e..154996d6b6 100644
--- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
+++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
@@ -1,6 +1,6 @@
---
-title: Prepare people to use Microsoft Passport (Windows 10)
-description: When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization.
+title: Prepare people to use Windows Hello (Windows 10)
+description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
keywords: identity, PIN, biometric, Hello
ms.prod: w10
@@ -8,21 +8,22 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
+localizationpriority: high
---
-# Prepare people to use Microsoft Passport
+# Prepare people to use Windows Hello
**Applies to**
- Windows 10
- Windows 10 Mobile
-When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization by explaining how to use Passport.
+When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
-After enrollment in Passport, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
+After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
-Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Passport.
+Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello.
-People who are currently using virtual smart cards for authentication can use their virtual smart card to verify their identity when they set up Passport.
+People who are currently using virtual smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
## On devices owned by the organization
@@ -36,33 +37,40 @@ Next, they select a way to connect. Tell the people in your enterprise which opt
They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a work PIN** screen displays any complexity requirements that you have set, such as minimum length.
-After Passport is set up, people use their PIN to unlock the device, and that will automatically log them on.
+After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
## On personal devices
People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. (This work account gesture doesn't affect the device unlock PIN.)
-Assure people that their work credentials and personal credentials are stored in separate containers; the enterprise has no access to their personal credentials.
-
People can go to **Settings** > **Accounts** > **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device.
## Using Windows Hello and biometrics
-If your policy allows it, people can add Windows Hello to their Passport. Windows Hello can be fingerprint, iris, and facial recognition, and is available to users only if the hardware supports it.
+If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
-## Use a phone to sign in to a PC
+## Use a phone to sign in to a PC or VPN
+
+If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials.
+
+> [!NOTE]
+> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Microsoft Passport credentials.
-> **Note:** Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
**Prerequisites:**
-- The PC must be joined to the Active Directory domain or Azure AD cloud domain.
-- The PC must have Bluetooth connectivity.
-- The phone must be joined to the Azure AD cloud domain, or the user must have added a work account to their personal phone.
-- The free **Phone Sign-in** app must be installed on the phone.
+
+- Both phone and PC must be running Windows 10, version 1607.
+- The PC must be running Windows 10 Pro, Enterprise, or Education
+- Both phone and PC must have Bluetooth.
+- The **Microsoft Authenticator** app must be installed on the phone.
+- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
+- The phone must be joined to Azure AD or have a work account added.
+- The VPN configuration profile must use certificate-based authentication.
+
**Pair the PC and phone**
+
1. On the PC, go to **Settings** > **Devices** > **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing.
@@ -72,22 +80,36 @@ If your enterprise enables phone sign-in, users can pair a phone running Windows
3. On the PC, tap **Yes**.
+
**Sign in to PC using the phone**
-1. Open the **Phone Sign-in** app and tap the name of the PC to sign in to.
- > **Note: ** The first time that you run the Phone-Sign app, you must add an account.
+
+1. Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to.
+ > **Note: ** The first time that you run the **Microsoft Authenticator** app, you must add an account.
+
+ 
2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.
+**Connect to VPN**
+
+You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect.
+
## Related topics
-[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
+
+[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
-[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-[Event ID 300 - Passport successfully created](passport-event-300.md)
diff --git a/windows/keep-secure/procedures-used-in-this-guide.md b/windows/keep-secure/procedures-used-in-this-guide.md
index d19699b94b..7374820ed8 100644
--- a/windows/keep-secure/procedures-used-in-this-guide.md
+++ b/windows/keep-secure/procedures-used-in-this-guide.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order.
diff --git a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md
index a24379dacf..f4134b9ce9 100644
--- a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats.
diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md
index 9e052274d5..3f8df3ef51 100644
--- a/windows/keep-secure/protect-enterprise-data-using-edp.md
+++ b/windows/keep-secure/protect-enterprise-data-using-edp.md
@@ -1,92 +1,5 @@
---
title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10)
description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control.
-ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
-keywords: EDP, Enterprise Data Protection
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Protect your enterprise data using enterprise data protection (EDP)
-**Applies to:**
-
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-
-Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
-
-## Prerequisites
-You’ll need this software to run EDP in your enterprise:
-
-|Operating system | Management solution |
-|-----------------|---------------------|
-|Windows 10 Insider Preview | Microsoft Intune
-OR-
System Center Configuration Manager Technical Preview version 1605 or later
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
-
-## How EDP works
-EDP helps address your everyday challenges in the enterprise. Including:
-
-- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
-
-- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices.
-
-- Helping to maintain the ownership and control of your enterprise data.
-
-- Helping control the network and data access and data sharing for apps that aren’t enterprise aware.
-
-### EDP-protection modes
-You can set EDP to 1 of 4 protection and management modes:
-
-|Mode|Description|
-|----|-----------|
-|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
-|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
-|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.|
-|Off |EDP is turned off and doesn't help to protect or audit your data.
For more info about setting your EDP-protection modes, see either [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md), depending on your management solution.
-
-## Why use EDP?
-EDP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-
-- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. EDP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
-
-- **Manage your enterprise documents, apps, and encryption modes.**
-
- - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device.
-
- - **Using allowed apps.** Managed apps (apps that you've included on the protected apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
-
- - **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your **Protected App** list, the app is trusted with enterprise data. All apps that aren’t on this list are blocked from accessing your enterprise network resources and your EDP-protected data.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
-
-## Current limitations with EDP
-EDP is still in development and is not yet integrated with Azure Rights Management. This means that while you can deploy an EDP-configured policy to a protected device, that protection is restricted to a single user on the device. Additionally, the EDP-protected data must be stored on NTFS, FAT, or ExFAT file systems.
-
-Use the following table to identify the scenarios that require Azure Rights Management, the behavior when Azure Rights Management is not used with EDP, and the recommended workarounds.
-
-|EDP scenario |Without Azure Rights Management |Workaround |
-|-------------|--------------------------------|-----------|
-|Saving enterprise data to USB drives |Data in the new location remains encrypted, but becomes inaccessible on other devices or for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
-OR-
System Center Configuration Manager
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
+
+## How WIP works
+WIP helps address your everyday challenges in the enterprise. Including:
+
+- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
+
+- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices.
+
+- Helping to maintain the ownership and control of your enterprise data.
+
+- Helping control the network and data access and data sharing for apps that aren’t enterprise aware
+
+### WIP-protection modes
+You can set WIP to 1 of 4 protection and management modes:
+
+|Mode|Description|
+|----|-----------|
+|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
+|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
+|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
+|Off |WIP is turned off and doesn't help to protect or audit your data.
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution.
+
+## Why use WIP?
+WIP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
+
+- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
+
+- **Manage your enterprise documents, apps, and encryption modes.**
+
+ - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
+
+ - **Using allowed apps.** Managed apps (apps that you've included on the Allowed Apps list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+
+ - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your WIP management-mode.
+
+ You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
+
+ - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list.
+
+ - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
+
+ Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document.
+
+ - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your allowed apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your allowed apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
+
+ - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
+
+- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+
+## Next steps
+After deciding to use WIP in your enterprise, you need to:
+
+- [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
\ No newline at end of file
diff --git a/windows/keep-secure/remote-credential-guard.md b/windows/keep-secure/remote-credential-guard.md
new file mode 100644
index 0000000000..ce2fbc59b1
--- /dev/null
+++ b/windows/keep-secure/remote-credential-guard.md
@@ -0,0 +1,103 @@
+---
+title: Protect Remote Desktop credentials with Remote Credential Guard (Windows 10)
+description: Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+# Protect Remote Desktop credentials with Remote Credential Guard
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+Introduced in Windows 10, version 1607, Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device.
+
+You can use Remote Credential Guard in the following ways:
+
+- Administrator credentials are highly privileged and must be protected. By using Remote Credential Guard to connect, you can be assured that your credentials are not passed over the network to the target device.
+
+- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware.
+
+Use the following diagrams to help understand how Remote Credential Guard works and what it helps protect against.
+
+
+
+## Hardware and software requirements
+
+The Remote Desktop client and server must meet the following requirements in order to use Remote Credential Guard:
+
+- They must be joined to an Active Directory domain
+ - Both devices must either joined to the same domain or the Remote Desktop server must be joined to a domain with a trust relationship to the client device's domain.
+- They must use Kerberos authentication.
+- They must be running at least Windows 10, version 1607 or Windows Server 2016.
+- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard.
+
+
+## Enable Remote Credential Guard
+
+You must enable Remote Credential Guard on the target device by using the registry.
+
+1. Open Registry Editor.
+2. Enable Remote Credential Guard:
+ - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
+ - Add a new DWORD value named **DisableRestrictedAdmin**. Set the value of this registry setting to 0 to turn on Remote Credential Guard.
+3. Close Registry Editor.
+
+You can add this by running the following from an elevated command prompt:
+
+```
+reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
+```
+
+## Using Remote Credential Guard
+
+You can use Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection.
+
+### Turn on Remote Credential Guard by using Group Policy
+
+1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
+2. Double-click **Restrict delegation of credentials to remote servers**.
+3. In the **Use the following restricted mode** box:
+ - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Require Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.
+
+ > **Note:** Neither Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
+
+ - If you want to allow Remote Credential Guard, choose **Prefer Remote Credential Guard**.
+4. Click **OK**.
+
+ 
+
+5. Close the Group Policy Management Console.
+
+6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied.
+
+
+### Use Remote Credential Guard with a parameter to Remote Desktop Connection
+
+If you don't use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Remote Credential Guard for that connection.
+
+```
+mstsc.exe /remoteGuard
+```
+
+
+## Considerations when using Remote Credential Guard
+
+- Remote Credential Guard does not include device claims. For example, if you’re trying to access a file server from the remote and the file server requires device claim, access will be denied.
+
+- Remote Credential Guard cannot be used to connect to a device that is joined to Azure Active Directory.
+
+- Remote Desktop Credential Guard only works with the RDP protocol.
+
+- No credentials are sent to the target device, but the target device still acquires the Kerberos Service Tickets on its own.
+
+- Remote Desktop Gateway is not compatible with Remote Credential Guard.
+
+- You cannot used saved credentials or credentials that are different than yours. You must use the credentials of the user who is logged into the device.
+
+- Both the client and the server must be joined to the same domain or the domains must have a trust relationship.
+
+- The server and client must authenticate using Kerberos.
\ No newline at end of file
diff --git a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md
index 890eaf1d99..42da77aa05 100644
--- a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted.
diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 9db41d44f1..d9f6804c8a 100644
--- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -32,9 +32,7 @@ For example, hardware that includes CPU virtualization extensions and SLAT will
You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
-The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features.
-
-
+The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
> **Notes**
> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
@@ -51,20 +49,39 @@ The following tables provide more information about the hardware, firmware, and
| Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).
**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
-
-
-> **Important** The preceding table lists requirements for baseline protections. The following table lists requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.
+> **Important** The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.
## Device Guard requirements for improved security
The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
-### 2015 Additional Qualification Requirements for Device Guard (Windows 10, version 1507 and Windows 10, version 1511)
+### 2015 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+
+
+### 2016 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1607, and Windows Server 2016)
+
+> **Important** The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
+
+| Protections for Improved Security - requirement | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
- HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
- Enterprises can choose to allow proprietary EFI drivers/applications to run.
- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+
+
+
+### 2017 Additional Qualification Requirements for Device Guard (announced as options for future Windows operating systems for 2017)
+
+| Protections for Improved Security - requirement | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **UEFI NX Protections** | **Requirements**:
- All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.
UEFI Runtime Services:
- Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. |
+
## Device Guard deployment in different scenarios: types of devices
Typically, deployment of Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Device Guard in your organization.
diff --git a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md
index 049625343b..fa2225b9c4 100644
--- a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data.
diff --git a/windows/keep-secure/restrict-access-to-only-trusted-devices.md b/windows/keep-secure/restrict-access-to-only-trusted-devices.md
index d2b47a2dbe..dc34b9ac84 100644
--- a/windows/keep-secure/restrict-access-to-only-trusted-devices.md
+++ b/windows/keep-secure/restrict-access-to-only-trusted-devices.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required.
diff --git a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md
index 85d7267abb..57d1bc1e9d 100644
--- a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md
+++ b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group.
diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
index 9e6debeb0f..bf02b33e04 100644
--- a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
@@ -1,7 +1,7 @@
---
-title: Run a scan from the command line in Windows Defender in Windows 10 (Windows 10)
-description: IT professionals can run a scan using the command line in Windows Defender in Windows 10.
-keywords: scan, command line, mpcmdrun, defender
+title: Learn how to run a scan from command line in Windows Defender (Windows 10)
+description: Windows Defender utility enables IT professionals to use command line to run antivirus scans.
+keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -19,19 +19,19 @@ author: mjcaparas
IT professionals can use a command-line utility to run a Windows Defender scan.
-The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_
+The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
This utility can be handy when you want to automate the use of Windows Defender.
-**To run a full system scan from the command line**
+**To run a quick scan from the command line**
1. Click **Start**, type **cmd**, and press **Enter**.
2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
```
-C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 2
+C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
```
-The full scan will start. When the scan completes, you'll see a message indicating that the scan is finished.
+The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished.
The utility also provides other commands that you can run:
@@ -43,12 +43,12 @@ MpCmdRun.exe [command] [-options]
Command | Description
:---|:---
\- ? / -h | Displays all available options for the tool
-\-Scan [-ScanType #] [-File
|
-|Block enterprise data from non-enterprise apps |
Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.
|
-|Copy and paste from enterprise apps to non-enterprise apps |
|
-|Drag and drop from enterprise apps to non-enterprise apps |
|
-|Share between enterprise apps and non-enterprise apps |
|
-|Use the **Encrypt to** functionality |
|
-|Verify that Windows system components can use EDP |
|
-|Use EDP on FAT/exFAT systems |
Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data.
|
-|Use EDP on NTFS systems |
|
-|Unenroll client devices from EDP |
|
-|Verify that app content is protected when a Windows 10 Mobile phone is locked |
Unenrolling a device revokes and erases all of the enterprise data for the managed account.
|
-
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/testing-scenarios-for-wip
+---
\ No newline at end of file
diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md
new file mode 100644
index 0000000000..113768489b
--- /dev/null
+++ b/windows/keep-secure/testing-scenarios-for-wip.md
@@ -0,0 +1,36 @@
+---
+title: Testing scenarios for Windows Information Protection (WIP) (Windows 10)
+description: We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
+ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+---
+
+# Testing scenarios for Windows Information Protection (WIP)
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
+
+## Testing scenarios
+You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
+
+|Scenario |Processes |
+|---------|----------|
+|Automatically encrypt files from enterprise apps |
|
+|Block enterprise data from non-enterprise apps |
Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.
|
+|Copy and paste from enterprise apps to non-enterprise apps |
|
+|Drag and drop from enterprise apps to non-enterprise apps |
|
+|Share between enterprise apps and non-enterprise apps |
|
+|Use the **Encrypt to** functionality |
|
+|Verify that Windows system components can use WIP |
|
+|Use WIP on FAT/exFAT systems |
Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data.
|
+|Use WIP on NTFS systems |
|
+|Unenroll client devices from WIP |
|
+|Verify that app content is protected when a Windows 10 Mobile phone is locked |
Unenrolling a device revokes and erases all of the enterprise data for the managed account.
|
\ No newline at end of file
diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
index e60c0f663c..a53f073958 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
@@ -1013,8 +1013,40 @@ Result code associated with threat status. Standard HRESULT values.
Description of the error.
+
+The above context applies to the following client and server versions:
+
+
+
+Operating system
+Operating system version
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2663,6 +2695,7 @@ Description of the error.
+
## Windows Defender client error codes
If Windows Defender experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
This section provides the following information about Windows Defender client errors.
diff --git a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md
index 758bffcd66..618894db96 100644
--- a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md
+++ b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
index e81dff792a..088acf33fa 100644
--- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
@@ -23,7 +23,8 @@ For a list of the cmdlets and their functions and available parameters, see the
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
-> **Note:** PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
+> [!NOTE]
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
@@ -32,7 +33,8 @@ PowerShell is typically installed under the folder _%SystemRoot%\system32\Window
1. Click **Start**, type **powershell**, and press **Enter**.
2. Click **Windows PowerShell** to open the interface.
- > **Note:** You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+ > [!NOTE]
+ > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
3. Enter the command and parameters.
To open online help for any of the cmdlets type the following:
@@ -41,3 +43,7 @@ To open online help for any of the cmdlets type the following:
Get-Help
-
-
-
-
+---
+title: Windows Defender in Windows 10 (Windows 10)
+description: This topic provides an overview of Windows Defender, including a list of system requirements and new features.
+ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: jasesso
+---
+
+# Windows Defender in Windows 10
+
+**Applies to**
+- Windows 10
+
+Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
+This topic provides an overview of Windows Defender, including a list of system requirements and new features.
+
+For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
+
+Take advantage of Windows Defender by configuring settings and definitions using the following tools:
+- Microsoft Active Directory *Group Policy* for settings
+- Windows Server Update Services (WSUS) for definitions
+
+Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md).
+> **Note:** System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
+- Settings management
+- Definition update management
+- Alerts and alert management
+- Reports and report management
+
+When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed.
+
+
+### Compatibility with Windows Defender Advanced Threat Protection
+
+Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network.
+
+See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
+
+If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode.
+
+In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware.
+
+You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+
+If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
+
+
+
+### Minimum system requirements
+
+Windows Defender has the same hardware requirements as Windows 10. For more information, see:
+- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
+- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
+
+### New and changed functionality
+
+- **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise.
+- **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed.
+- **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices.
+
+For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website.
+
+## In this section
+
+Topic | Description
+:---|:---
+[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans.
+[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services.
+[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media.
+[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10.
+[Enable the Black at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud.
+[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal.
+[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions.
diff --git a/windows/keep-secure/windows-defender-offline.md b/windows/keep-secure/windows-defender-offline.md
new file mode 100644
index 0000000000..d861493653
--- /dev/null
+++ b/windows/keep-secure/windows-defender-offline.md
@@ -0,0 +1,181 @@
+---
+title: Windows Defender Offline in Windows 10
+description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network.
+keywords: scan, defender, offline
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: iaanw
+---
+
+# Windows Defender Offline in Windows 10
+
+**Applies to:**
+
+- Windows 10, version 1607
+
+Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
+
+In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
+
+## Pre-requisites and requirements
+
+Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
+
+For more information about Windows 10 requirements, see the following topics:
+
+- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
+
+- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx)
+
+> [!NOTE]
+> Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
+
+To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
+
+## Windows Defender Offline updates
+
+Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+
+> [!NOTE]
+> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+
+For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic.
+
+## Usage scenarios
+
+In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints.
+
+The prompt can occur via a notification, similar to the following:
+
+
+
+The user will also be notified within the Windows Defender client:
+
+
+
+In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
+
+
+
+## Manage notifications
+
+
+You can suppress Windows Defender Offline notifications with Group Policy.
+
+> [!NOTE]
+> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required.
+
+**Use Group Policy to suppress Windows Defender notifications:**
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender > Client Interface**.
+
+1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client.
+
+## Configure Windows Defender Offline settings
+
+You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications.
+
+For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics:
+
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
+
+- [Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx)
+
+For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic.
+
+## Run a scan
+
+Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings.
+
+> [!NOTE]
+> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete.
+
+You can set up a Windows Defender Offline scan with the following:
+
+- Windows Update and Security settings
+
+- Windows Defender
+
+- Windows Management Instrumentation
+
+- Windows PowerShell
+
+- Group Policy
+
+> [!NOTE]
+> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
+
+**Run Windows Defender Offline from Windows Settings:**
+
+1. Open the **Start** menu and click or type **Settings**.
+
+1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section.
+
+1. Click **Scan offline**.
+
+ 
+
+1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
+
+**Run Windows Defender Offline from Windows Defender:**
+
+1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
+
+1. On the **Home** tab click **Download and Run**.
+
+ 
+
+1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
+
+
+**Use Windows Management Instrumentation to configure and run Windows Defender Offline:**
+
+Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan.
+
+The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
+
+```WMI
+wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
+```
+
+For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics:
+
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
+
+- [MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx)
+
+**Run Windows Defender Offline using PowerShell:**
+
+Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan.
+
+For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic.
+
+## Review scan results
+
+Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan.
+
+1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
+
+1. Go to the **History** tab.
+
+1. Select **All detected items**.
+
+1. Click **View details**.
+
+Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**:
+
+
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index 23f9e3d1c0..c70e57a4b1 100644
--- a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -12,7 +12,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
The Windows Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Firewall with Advanced Security management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Firewall with Advanced Security management in Windows.
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md
index 5dabaedf02..9cfe29f6c0 100644
--- a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md
+++ b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
You can use the Windows Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md
index acc229bd6a..47830f44c9 100644
--- a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md
@@ -13,7 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
Windows Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Firewall with Advanced Security supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices.
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security.md b/windows/keep-secure/windows-firewall-with-advanced-security.md
index 51c6967315..4433aaf633 100644
--- a/windows/keep-secure/windows-firewall-with-advanced-security.md
+++ b/windows/keep-secure/windows-firewall-with-advanced-security.md
@@ -12,7 +12,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016 Technical Preview
+- Windows Server 2016
This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md
index 40a4efa80a..9907572763 100644
--- a/windows/keep-secure/windows-hello-in-enterprise.md
+++ b/windows/keep-secure/windows-hello-in-enterprise.md
@@ -7,7 +7,8 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-author: eross-msft
+author: jdeckerMS
+localizationpriority: high
---
# Windows Hello biometrics in the enterprise
@@ -17,21 +18,23 @@ author: eross-msft
Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
+> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+
Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
##How does Windows Hello work?
-Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Microsoft Passport credentials.
+Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
-The Windows Hello authenticator works with Microsoft Passport to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
+The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
## Why should I let my employees use Windows Hello?
Windows Hello provides many benefits, including:
-- Combined with Microsoft Passport, it helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge.
+- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge.
- Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords!
-- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
For more info about the available Group Policies and MDM CSPs, see the [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) topic.
+- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic.
## Where is Microsoft Hello data stored?
The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.
@@ -72,8 +75,8 @@ To allow facial recognition, you must have devices with integrated special infra
- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
## Related topics
-- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
-- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+- [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
+- [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
- [Microsoft Passport guide](microsoft-passport-guide.md)
- [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
- [PassportforWork CSP](http://go.microsoft.com/fwlink/p/?LinkId=708219)
diff --git a/windows/keep-secure/windows-security-baselines.md b/windows/keep-secure/windows-security-baselines.md
index d9f379c2a6..690b516662 100644
--- a/windows/keep-secure/windows-security-baselines.md
+++ b/windows/keep-secure/windows-security-baselines.md
@@ -12,7 +12,10 @@ author: brianlic-msft
Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
-We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
+We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
+
+ > [!NOTE]
+ > Microsoft Security Compliance Manager 4.0 is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53353).
## What are security baselines?
@@ -31,18 +34,19 @@ In modern organizations, the security threat landscape is constantly evolving. I
To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
- ## How can you use security baselines?
+## How can you use security baselines?
You can use security baselines to:
- Ensure that user and device configuration settings are compliant with the baseline.
- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
- ## Where can I get the security baselines?
+## Where can I get the security baselines?
Here's a list of security baselines that are currently available.
- > **Note:** If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
+ > [!NOTE]
+ > If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
### Windows 10 security baselines
diff --git a/windows/keep-secure/wip-enterprise-overview.md b/windows/keep-secure/wip-enterprise-overview.md
new file mode 100644
index 0000000000..7724af5d0e
--- /dev/null
+++ b/windows/keep-secure/wip-enterprise-overview.md
@@ -0,0 +1,77 @@
+---
+title: Windows Information Protection overview (Windows 10)
+description: Conceptual info about Windows Information Protection (WIP), formerly known as Windows Information Protection (WIP).
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Windows Information Protection (WIP) overview
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+- Windows 10 Mobile Preview
+
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+
+Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
+
+
+## Benefits of WIP
+
+WIP provides:
+- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
+
+- Additional data protection for existing line-of-business apps without a need to update the apps.
+
+- Ability to wipe corporate data from devices while leaving personal data alone.
+
+- Use of audit reports for tracking issues and remedial actions.
+
+- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager 2016, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company.
+
+## Enterprise scenarios
+WIP currently addresses these enterprise scenarios:
+- You can encrypt enterprise data on employee-owned and corporate-owned devices.
+
+- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
+
+- You can select specific apps that can access enterprise data, called "allowed apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data.
+
+- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
+
+## Why use WIP?
+WIP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
+
+- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
+
+- **Manage your enterprise documents, apps, and encryption modes.**
+
+ - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an WIP-protected device, WIP encrypts the data on the device.
+
+ - **Using allowed apps.** Managed apps (apps that you've included on the allowed apps list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+
+ - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your WIP management-mode.
+
+ You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in your protected apps list.
+
+ - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list.
+
+ - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
+
+ Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document.
+
+ - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
+
+ - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
+
+ - **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
+
+## Turn off WIP
+
+You can turn off all Windows Information Protection and restrictions, reverting to where you were pre-WIP, with no data loss. However, turning off WIP isn't recommended. If you choose to turn it off, you can always turn it back on, but WIP won't retain your decryption and policies info.
+
+## Related topics
+- [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-edp.md)
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index c7fae648b6..29e5c3e336 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -1,23 +1,28 @@
# [Manage and update Windows 10](index.md)
-## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
## [Manage corporate devices](manage-corporate-devices.md)
+### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
### [New policies for Windows 10](new-policies-for-windows-10.md)
### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md)
-## [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
+## [Windows Spotlight on the lock screen](windows-spotlight.md)
+## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
+### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
### [Customize and export Start layout](customize-and-export-start-layout.md)
-### [Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-### [Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+### [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
## [Lock down Windows 10](lock-down-windows-10.md)
+### [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)
+### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
### [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
+#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
@@ -33,6 +38,7 @@
## [Application development for Windows as a service](application-development-for-windows-as-a-service.md)
## [Windows Store for Business](windows-store-for-business.md)
### [Sign up and get started](sign-up-windows-store-for-business-overview.md)
+####[Windows Store for Business overview](windows-store-for-business-overview.md)
#### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)
#### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)
#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)
@@ -59,4 +65,4 @@
#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)
### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)
-
+## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
diff --git a/windows/manage/app-inventory-management-windows-store-for-business.md b/windows/manage/app-inventory-management-windows-store-for-business.md
index 11ddab7ae7..2472c4a967 100644
--- a/windows/manage/app-inventory-management-windows-store-for-business.md
+++ b/windows/manage/app-inventory-management-windows-store-for-business.md
@@ -19,7 +19,7 @@ author: TrudyHa
You can manage all apps that you've acquired on your **Inventory** page.
-The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md).
+The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role.
All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses.
@@ -28,15 +28,20 @@ All of these apps are treated the same once they are in your inventory and you c
Store for Business shows this info for each app in your inventory:
- Name
-
- Access to actions for the app
-
-- Last modified date
-
-- Supported devices
-
+- Last modified
+- Available licenses
- Private store status
+The last modified date tracks changes about the app as an item in your inventory. The last modified date changes when one of the following happens:
+- First purchase (the date you acquire the app from Windows Store for Business)
+- Purchase additional licenses
+- Assign license
+- Reclaim license
+- Refund order (applies to purchased apps, not free apps)
+
+The last modified date does not correspond to when an app was last updated in the Store. It tracks activity for that app, as an item in your inventory.
+
### Find apps in your inventory
There are a couple of ways to find specific apps, or groups of apps in your inventory.
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index 31bbd84321..f1ea30ec04 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -12,6 +12,16 @@ author: jdeckerMS
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+
+## RELEASE: Windows 10, version 1607
+
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
+
+- [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
+- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+- [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
+- [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
+
## July 2016
| New or changed topic | Description |
@@ -19,6 +29,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | New |
| [Windows 10 servicing options](introduction-to-windows-10-servicing.md) | Added detailed content on servicing branches, moved from [Windows 10 servicing overview](../plan/windows-10-servicing-options.md). |
+
## June 2016
| New or changed topic | Description |
diff --git a/windows/manage/changes-to-start-policies-in-windows-10.md b/windows/manage/changes-to-start-policies-in-windows-10.md
index 8697ff8945..ad0589981e 100644
--- a/windows/manage/changes-to-start-policies-in-windows-10.md
+++ b/windows/manage/changes-to-start-policies-in-windows-10.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
# Changes to Group Policy settings for Windows 10 Start
diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/manage/configure-devices-without-mdm.md
index 0539884199..175c61bf6e 100644
--- a/windows/manage/configure-devices-without-mdm.md
+++ b/windows/manage/configure-devices-without-mdm.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile, devices
author: jdeckerMS
+localizationpriority: medium
---
# Configure devices without MDM
@@ -24,7 +25,7 @@ Sometimes mobile device management (MDM) isn't available to you for setting up a
Rather than wiping a device and applying a new system image, in Windows 10 you can apply a provisioning package at any time. A provisioning package can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
-You can provide provisioning packages on a network shared folder that employees can access to configure their devices. Or you can put a provisioning package on a USB flash drive or SD card to hand out. You can even send the provisioning package to someone in email.
+You can provide provisioning packages on a network shared folder that employees can access to configure their devices. Or you can put a provisioning package on a USB flash drive or SD card to hand out.
Provisioning packages are simple for employees to install. And when they remove a provisioning package, policies that the package applied to their device are removed.
@@ -56,8 +57,8 @@ Provisioning packages are simple for employees to install. And when they remove
Package might include company root certificate, Wi-Fi profiles, security policies, or company application.
- **Note**
- Test to make sure that removing the provisioning package from a personal device removes everything that the package installed. Some settings are not reverted when a provisioning package is removed from the device.
+ > [!NOTE]
+ > Test to make sure that removing the provisioning package from a personal device removes everything that the package installed. Some settings are not reverted when a provisioning package is removed from the device.
@@ -65,81 +66,93 @@ Provisioning packages are simple for employees to install. And when they remove
Package might include computer name, company root certificate, Wi-Fi profile, or company application.
- **Note**
- To return the **Start** menu to a specific state, you must reset the device. When you reset the device, you can apply the provisioning package during the first-run experience.
+ > [!NOTE]
+ > To return the **Start** menu to a specific state, you must reset the device. When you reset the device, you can apply the provisioning package during the first-run experience.
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
-## Create package
+## Create a provisioning package
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+When you run Windows ICD, you have several options for creating your package.
+
+.
+
+- Choose **Simple provisioning** to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner.
+- Choose **Provision school devices** to quickly create provisioning packages that configure settings and policies tailored for students. Learn more about using Windows ICD to provision student PCs (link tb added).
+- Choose **Advanced provisioning** to create provisioning packages in the advanced settings editor and include classic (Win32) and Universal Windows Platform (UWP) apps for deployment on end-user devices.
+
+> [!IMPORTANT]
+> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+### Using Simple provisioning
+
+1. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`).
+2. Click **Simple provisioning**.
+2. Name your project and click **Finish**.
+3. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
+4. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
+ - Home to Education
+ - Pro to Education
+ - Pro to Enterprise
+ - Enterprise to Education
+ - Mobile to Mobile Enterprise
+5. Click **Set up network**.
+6. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
+7. Click **Enroll into Active Directory**.
+8. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account.
+ > [!WARNING]
+ > If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
+ - Use a least-privileged domain account to join the device to the domain.
+ - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
+ - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
+9. Click **Finish**.
+10. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
+11. Click **Create**.
+
+
+
+### Using Advanced provisioning
-Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
-
-2. Choose **New provisioning package**.
-
+2. Click **Advanced provisioning**.
+3. Choose **New provisioning package**.
3. Name your project, and click **Next**.
-
-4. Choose **Common to all Windows editions**, **Common to all Windows desktop editions**, or **Common to all Windows mobile editions**, depending on the devices you intend to provision, and click **Next**.
-
+4. Choose **All Windows editions**, **All Windows desktop editions**, or **All Windows mobile editions**, depending on the devices you intend to provision, and click **Next**.
5. On **New project**, click **Finish**. The workspace for your package opens.
-
6. Configure settings. [Learn more about specific settings in provisioning packages.]( http://go.microsoft.com/fwlink/p/?LinkId=615916)
-
7. On the **File** menu, select **Save.**
-
8. On the **Export** menu, select **Provisioning package**.
-
9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
-
10. Set a value for **Package Version**.
-
- **Tip**
- You can make changes to existing packages and change the version number to update previously applied packages.
-
-
-
+ > [!TIP]
+ > You can make changes to existing packages and change the version number to update previously applied packages.
+
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
-
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
-
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
-
- **Important**
- We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
-
-
-
+ > [!IMPORTANT]
+ > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
+
12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
-
Optionally, you can click **Browse** to change the default output location.
-
13. Click **Next**.
-
14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
-
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
-
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
-
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
-
16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
-
- Shared network folder
-
- SharePoint site
-
- Removable media (USB/SD)
-
- Email
-
- USB tether (mobile only)
Learn more: [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651)
@@ -147,11 +160,11 @@ Learn more: [Build and apply a provisioning package](http://go.microsoft.com/fwl
## Apply package
-On a desktop computer, the employee goes to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install. The user can also add a provisioning package simply by double-clicking the .ppkg file in email, in local storage, on removable media, or at a URL.
+On a desktop computer, the employee goes to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install. The user can also add a provisioning package simply by double-clicking the .ppkg file in local storage, on removable media, or at a URL.
-On a mobile device, the employee goes to **Settings** > **Accounts** > **Provisioning.** > **Add a package**, and selects the package on removable media to install. The user can also add a provisioning package simply by double-tapping the .ppkg file in email.
+On a mobile device, the employee goes to **Settings** > **Accounts** > **Provisioning.** > **Add a package**, and selects the package on removable media to install.
@@ -168,7 +181,7 @@ On a mobile device, the employee goes to **Settings** > **Accounts** > **P
- Optionally, keep packages when you reset a mobile device. When you reset a desktop, runtime packages are removed.
- 
+ 
## Learn more
diff --git a/windows/manage/configure-windows-10-taskbar.md b/windows/manage/configure-windows-10-taskbar.md
new file mode 100644
index 0000000000..0424d18166
--- /dev/null
+++ b/windows/manage/configure-windows-10-taskbar.md
@@ -0,0 +1,294 @@
+---
+title: Configure Windows 10 taskbar (Windows 10)
+description: Admins can pin apps to users' taskbars.
+keywords: ["taskbar layout","pin apps"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+# Configure Windows 10 taskbar
+
+Starting in Windows 10, version 1607, administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a `
+
## Configure a partial Start layout
@@ -123,9 +150,11 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
-[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
index bf5aed9ec4..6c7c63c9cd 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
@@ -7,9 +7,10 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
-# Customize Windows 10 Start with Group Policy
+# Customize Windows 10 Start and taskbar with Group Policy
**Applies to**
@@ -20,12 +21,12 @@ author: jdeckerMS
- [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
-In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
-This topic describes how to update Group Policy settings to display a customized Start layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start layout to users in a domain.
+This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain.
**Warning**
-When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
+When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. When you apply a taskbar layout, users will still be able to pin and unpin apps, and change the order of pinned apps.
@@ -34,23 +35,23 @@ When a full Start layout is applied with this method, the users cannot pin, unpi
## Operating system requirements
-Start layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education. Start layout control is not supported in Windows 10 Pro.
+Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education, Version 1607. Start and taskbar layout control is not supported in Windows 10 Pro.
-The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841](http://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base.
+The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](http://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base.
## How Start layout control works
-Two features enable Start layout control:
+Three features enable Start and taskbar layout control:
-- The [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
+- The [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
**Note**
To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
-
+- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `
+
+
+
+ XML
+
+
+
+ <LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+ <DefaultLayoutOverride>
+ <StartLayoutCollection>
+ <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
+ <start:Group Name="Life at a glance" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
+ <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
+ <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI" />
+ <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+ </start:Group>
+ </defaultlayout:StartLayout>
+ </StartLayoutCollection>
+ </DefaultLayoutOverride>
+ </LayoutModificationTemplate>
User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). |
-| Start layout | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) |
-| Force a specific default lock screen image | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
-
\ No newline at end of file
+| --- | --- | --- |
+| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. |
+| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
+| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
+| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
+| **Do not require CTRL+ALT+DEL** combined with**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon andComputer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](set-up-a-device-for-anyone-to-use.md)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. **Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.|
+| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md |
+| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
+| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) |
+| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application
User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
+| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](manage-cortana-in-enterprise.md) |
+
+
+
+
diff --git a/windows/manage/guidelines-for-assigned-access-app.md b/windows/manage/guidelines-for-assigned-access-app.md
new file mode 100644
index 0000000000..2d776f2cf5
--- /dev/null
+++ b/windows/manage/guidelines-for-assigned-access-app.md
@@ -0,0 +1,104 @@
+---
+title: Guidelines for choosing an app for assigned access (Windows 10)
+description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
+ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
+keywords: ["kiosk", "lockdown", "assigned access"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Guidelines for choosing an app for assigned access (kiosk mode)
+
+
+**Applies to**
+
+- Windows 10
+
+
+You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
+
+The following guidelines may help you choose an appropriate Windows app for your assigned access experience in Windows 10, Version 1607.
+
+## General guidelines
+
+- Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](https://msdn.microsoft.com/library/windows/hardware/mt228170.aspx#install_your_apps).
+
+- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch.
+
+
+## Guidelines for Windows apps that launch other apps
+
+Some Windows apps can launch other apps. Assigned access prevents Windows apps from launching other apps.
+
+Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality.
+
+## Guidelines for web browsers
+
+Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps.
+
+If you use a web browser as your assigned access app, consider the following tips:
+
+- You can download browsers that are optimized to be used as a kiosk from the Microsoft Store.
+- You can use Group Policy to block access to the file system (network shares, local drives, and local folders) from Internet Explorer’s web address bar.
+- You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
+ - [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/)
+ - [WebView class](https://msdn.microsoft.com/library/windows/apps/windows.ui.xaml.controls.webview.aspx)
+ - [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0)
+
+**To block access to the file system from Internet Explorer's web address bar**
+1. On the Start screen, type the following:
+ `gpedit.msc`
+2. Press **Enter** or click the gpedit icon to launch the group policy editor.
+3. In the group policy editor, navigate to **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**.
+4. Select **Remove Run menu from Start Menu**, select **Disabled**, and click **Apply**. Disabling this policy prevents users from entering the following into the Internet Explorer Address Bar:
+ - A UNC path (\\
-
+
+
@@ -67,6 +67,9 @@ Learn about managing and updating Windows 10.
+
diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
index 3a8047bf80..07b423dbf8 100644
--- a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
+localizationpriority: high
---
# Join Windows 10 Mobile to Azure Active Directory
diff --git a/windows/manage/lock-down-windows-10-to-specific-apps.md b/windows/manage/lock-down-windows-10-to-specific-apps.md
index 232ab26d13..71622d4902 100644
--- a/windows/manage/lock-down-windows-10-to-specific-apps.md
+++ b/windows/manage/lock-down-windows-10-to-specific-apps.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerMS
+localizationpriority: high
---
# Lock down Windows 10 to specific apps
@@ -114,6 +115,10 @@ To learn more about locking down features, see [Customizations for Windows 10 En
Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
+## Related topics
+
+- [Provisioning packages for Windows 10](../deploy/provisioning-packages.md)
+
diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md
index 320d69d80d..a3374f6d0f 100644
--- a/windows/manage/lock-down-windows-10.md
+++ b/windows/manage/lock-down-windows-10.md
@@ -8,16 +8,11 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerMS
+localizationpriority: high
---
# Lock down Windows 10
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
## In this section
@@ -34,7 +29,8 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p
Description
-
+
+
+
+
+
diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md
index 7655d1f5e4..08bd7496c7 100644
--- a/windows/manage/lockdown-xml.md
+++ b/windows/manage/lockdown-xml.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerMS
+localizationpriority: high
---
# Configure Windows 10 Mobile using Lockdown XML
@@ -20,105 +21,464 @@ Windows 10 Mobile allows enterprises to lock down a device, define multiple use
This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices.
-After you apply the lockdown settings, the lockdown configuration is stored in a wehlockdown.xml file on the device.
+Lockdown XML is an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=618601).
-For details on each of the configuration items, see the AssignedAccess/AssignedAccessXml section of the [EnterpriseAssignedAccess configuration service provider (CSP) reference](http://go.microsoft.com/fwlink/p/?LinkID=618601).
+> [!NOTE]
+> On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=618601).
-## Order of lockdown settings
+If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) first.
+## Overview of the lockdown XML file
-The configuration items must be in the following order when you lock down settings:
-
-- Default profile
- - ActionCenter
- - Apps
- - Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
- - App User Model ID, as described in [Configuring Multiple App Packages](#bmk-map)
- - PinToStart
- - Size
- - Location
- - Buttons
- - ButtonLockdownList
- - Button name
- - ButtonRemapList
- - Button name
- - Button event name
- - Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
- - CSPRunner
- - SyncML
- - MenuItems
- - Disable menu items
- - Settings
- - System name, as described in [Settings and quick actions that can be locked down](settings-that-can-be-locked-down.md)
- - Tiles
- - Enable tile manipulation
- - StartScreenSize
-- RoleList
- - Role (repeat for each role)
- - ActionCenter
- - Apps
- - Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
- - App User Model ID (AUMID), as described in [Configuring Multiple App Packages](#bmk-map)
- - PinToStart
- - Size
- - Location
- - Buttons
- - ButtonLockdownList
- - Button name
- - ButtonRemapList
- - Button name
- - Button event name
- - Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
- - CSPRunner
- - SyncML
- - MenuItems
- - Disable menu items
- - Settings
- - System name, as described in [Settings and quick actions that can be locked down](settings-that-can-be-locked-down.md)
- - Tiles
- - Enable tile manipulation
- - StartScreenSize
-
-## Configuring multiple app packages
-
-
-Multiple app packages enable multiple apps to exist inside the same package. Since product IDs identify packages and not applications, specifying a product ID is not enough to distinguish between individual apps inside a multiple app package. Trying to pin application tiles from a multiple app package with just a product ID can result in unexpected behavior.
-
-To support pinning applications in multiple app packages, an AUMID parameter can be specified in lockdown.xml.
-
-The following example shows how to pin both Outlook Mail and Outlook Calendar:
+Let's start by looking at the basic structure of the lockdown XML file. You can start your file by pasting the following XML (or any other examples in this topic) into a text or XML editor, and saving the file as *filename*.xml.
+```xml
+
+
+
+
+
+Windows Embedded 8.1 Industry lockdown feature
+Windows 10 feature
+Changes
+
+
+N/A
+
+
+[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607)
+
+
+[Keyboard Filter](http://go.microsoft.com/fwlink/p/?LinkId=708391)
+
+
+[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=618603)
+
+
+[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)
+
+
+[AppLocker](../keep-secure/applocker-overview.md)
+
+
+
+Mobile device management (MDM) and Group Policy
+
+
+[Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkID=525483)
+
+
+MDM and Group Policy
+
+
+[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)
+
+
+[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)
+
+
+[Embedded Logon](http://go.microsoft.com/fwlink/p/?LinkId=626760)
+
+
+
+[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626873)
+
Default: Allowed|
-### 1.3 Cortana Windows Provisioning
+### 2.3 Cortana Windows Provisioning
To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**.
-### 2. Date & Time
+### 3. Date & Time
You can prevent Windows from setting the time automatically.
@@ -312,19 +258,20 @@ You can prevent Windows from setting the time automatically.
- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
-### 3. Device metadata retrieval
+### 4. Device metadata retrieval
To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
-### 4. Font streaming
+### 5. Font streaming
Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
-> **Note:** This may change in future versions of Windows.
+> [!NOTE]
+> This may change in future versions of Windows.
-### 5. Insider Preview builds
+### 6. Insider Preview builds
To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
@@ -354,11 +301,11 @@ To turn off Insider Preview builds if you're running a released version of Windo
- **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
-### 6. Internet Explorer
+### 7. Internet Explorer
Use Group Policy to manage settings for Internet Explorer.
-### 6.1 Internet Explorer Group Policies
+### 7.1 Internet Explorer Group Policies
Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**.
@@ -370,19 +317,26 @@ Find the Internet Explorer Group Policy objects under **Computer Configuration**
| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled |
| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled|
-### 6.2 ActiveX control blocking
+There are two more Group Policy objects that are used by Internet Explorer:
+
+| Path | Policy | Description |
+| - | - | - |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
Default: Enabled |
+
+### 7.2 ActiveX control blocking
ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
-### 7. Live Tiles
+### 8. Live Tiles
To turn off Live Tiles:
- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
-### 8. Mail synchronization
+### 9. Mail synchronization
To turn off mail synchronization for Microsoft Accounts that are configured on a device:
@@ -400,15 +354,36 @@ To turn off the Windows Mail app:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application**
-### 9. Microsoft Edge
+### 10. Microsoft Account
+
+To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways.
+
+- Change the **Start** REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentControlSet\\Services\\wlidsvc** to 4.
+
+
+### 11. Microsoft Edge
Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
-### 9.1 Microsoft Edge Group Policies
+### 11.1 Microsoft Edge Group Policies
Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**.
-> **Note:** The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
+> [!NOTE]
+> The Microsoft Edge Group Policy names were changed in Windows 10, version 1607. The table below reflects those changes.
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Configure autofill | Choose whether employees can use autofill on websites.
Default: Enabled |
+| Configure Do Not Track | Choose whether employees can send Do Not Track headers.
Default: Disabled |
+| Configure password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled |
+| Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions.
Default: Enabled |
+| Configure SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled |
+| Allow web content on New Tab page | Choose whether a new tab page appears.
Default: Enabled |
+| Configure Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** |
+
+
+The Windows 10, version 1511 Microsoft Edge Group Policy names are:
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@@ -420,7 +395,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled |
| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** |
-### 9.2 Microsoft Edge MDM policies
+### 11.2 Microsoft Edge MDM policies
The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@@ -432,35 +407,42 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http
| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed |
| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed |
-### 9.3 Microsoft Edge Windows Provisioning
+### 11.3 Microsoft Edge Windows Provisioning
Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**.
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
-### 10. Network Connection Status Indicator
+### 12. Network Connection Status Indicator
-Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
+
+In versions of Windows 10 prior to Windows 10, version 1607, the URL was http://www.msftncsi.com.
You can turn off NCSI through Group Policy:
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
-> **Note** After you apply this policy, you must restart the device for the policy setting to take effect.
+> [!NOTE]
+> After you apply this policy, you must restart the device for the policy setting to take effect.
-### 11. Offline maps
+### 13. Offline maps
You can turn off the ability to download and update offline maps.
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
-### 12. OneDrive
+ -and-
+
+- In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
+
+### 14. OneDrive
To turn off OneDrive in your organization:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
-### 13. Preinstalled apps
+### 15. Preinstalled apps
Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
@@ -572,47 +554,50 @@ To remove the Get Skype app:
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
-### 14. Settings > Privacy
+### 16. Settings > Privacy
Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
-- [14.1 General](#bkmk-general)
+- [16.1 General](#bkmk-general)
-- [14.2 Location](#bkmk-priv-location)
+- [16.2 Location](#bkmk-priv-location)
-- [14.3 Camera](#bkmk-priv-camera)
+- [16.3 Camera](#bkmk-priv-camera)
-- [14.4 Microphone](#bkmk-priv-microphone)
+- [16.4 Microphone](#bkmk-priv-microphone)
-- [14.5 Speech, inking, & typing](#bkmk-priv-speech)
+- [16.5 Notifications](#bkmk-priv-notifications)
-- [14.6 Account info](#bkmk-priv-accounts)
+- [16.6 Speech, inking, & typing](#bkmk-priv-speech)
-- [14.7 Contacts](#bkmk-priv-contacts)
+- [16.7 Account info](#bkmk-priv-accounts)
-- [14.8 Calendar](#bkmk-priv-calendar)
+- [16.8 Contacts](#bkmk-priv-contacts)
-- [14.9 Call history](#bkmk-priv-callhistory)
+- [16.9 Calendar](#bkmk-priv-calendar)
-- [14.10 Email](#bkmk-priv-email)
+- [16.10 Call history](#bkmk-priv-callhistory)
-- [14.11 Messaging](#bkmk-priv-messaging)
+- [16.11 Email](#bkmk-priv-email)
-- [14.12 Radios](#bkmk-priv-radios)
+- [16.12 Messaging](#bkmk-priv-messaging)
-- [14.13 Other devices](#bkmk-priv-other-devices)
+- [16.13 Radios](#bkmk-priv-radios)
-- [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
+- [16.14 Other devices](#bkmk-priv-other-devices)
-- [14.15 Background apps](#bkmk-priv-background)
+- [16.15 Feedback & diagnostics](#bkmk-priv-feedback)
-### 14.1 General
+- [16.16 Background apps](#bkmk-priv-background)
+
+### 16.1 General
**General** includes options that don't fall into other areas.
To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
-> **Note:** When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
+> [!NOTE]
+> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
- Turn off the feature in the UI.
@@ -648,11 +633,12 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window
-or-
-- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero).
+- Create a REG\_DWORD registry setting called **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost**, with a value of 0 (zero).
To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
-> **Note: ** If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
+> [!NOTE]
+> If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
@@ -674,7 +660,15 @@ To turn off **Let websites provide locally relevant content by accessing my lang
- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
-### 14.2 Location
+To turn off **Let apps on my other devices open apps and continue experiences on this devices**:
+
+- Turn off the feature in the UI.
+
+To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**:
+
+- Turn off the feature in the UI.
+
+### 16.2 Location
In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
@@ -696,8 +690,8 @@ To turn off **Location for this device**:
- **2**. Turned on and the employee can't turn it off.
- **Note**
- You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+ > [!NOTE]
+ > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
-or-
@@ -725,7 +719,7 @@ To turn off **Choose apps that can use your location**:
- Turn off each app using the UI.
-### 14.3 Camera
+### 16.3 Camera
In the **Camera** area, you can choose which apps can access a device's camera.
@@ -747,8 +741,8 @@ To turn off **Let apps use my camera**:
- **1**. Apps can use the camera.
- **Note**
- You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+ > [!NOTE]
+ > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
-or-
@@ -762,7 +756,7 @@ To turn off **Choose apps that can use your camera**:
- Turn off the feature in the UI for each app.
-### 14.4 Microphone
+### 16.4 Microphone
In the **Microphone** area, you can choose which apps can access a device's microphone.
@@ -780,13 +774,26 @@ To turn off **Choose apps that can use your microphone**:
- Turn off the feature in the UI for each app.
-### 14.5 Speech, inking, & typing
+### 16.5 Notifications
+
+In the **Notifications** area, you can choose which apps have access to notifications.
+
+To turn off **Let apps access my notifications**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access my notifications**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 16.6 Speech, inking, & typing
In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
-> **Note:** For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
-
-
+> [!NOTE]
+> For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
To turn off the functionality:
@@ -802,9 +809,21 @@ To turn off the functionality:
-and-
- Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
+- Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
-### 14.6 Account info
+
+If you're running at least Windows 10, version 1607, you can turn off updates to the speech recognition and speech synthesis models:
+
+Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Speech_AllowSpeechModelUpdate), where:
+
+- **0** (default). Not allowed.
+- **1**. Allowed.
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **AllowSpeechModelUpdate** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\Current\\Device\\Speech**, with a value of 0 (zero).
+
+### 16.7 Account info
In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
@@ -822,7 +841,7 @@ To turn off **Choose the apps that can access your account info**:
- Turn off the feature in the UI for each app.
-### 14.7 Contacts
+### 16.8 Contacts
In the **Contacts** area, you can choose which apps can access an employee's contacts list.
@@ -836,7 +855,7 @@ To turn off **Choose apps that can access contacts**:
- Set the **Select a setting** box to **Force Deny**.
-### 14.8 Calendar
+### 16.9 Calendar
In the **Calendar** area, you can choose which apps have access to an employee's calendar.
@@ -854,7 +873,7 @@ To turn off **Choose apps that can access calendar**:
- Turn off the feature in the UI for each app.
-### 14.9 Call history
+### 16.10 Call history
In the **Call history** area, you can choose which apps have access to an employee's call history.
@@ -868,7 +887,7 @@ To turn off **Let apps access my call history**:
- Set the **Select a setting** box to **Force Deny**.
-### 14.10 Email
+### 16.11 Email
In the **Email** area, you can choose which apps have can access and send email.
@@ -882,7 +901,7 @@ To turn off **Let apps access and send email**:
- Set the **Select a setting** box to **Force Deny**.
-### 14.11 Messaging
+### 16.12 Messaging
In the **Messaging** area, you can choose which apps can read or send messages.
@@ -900,7 +919,7 @@ To turn off **Choose apps that can read or send messages**:
- Turn off the feature in the UI for each app.
-### 14.12 Radios
+### 16.13 Radios
In the **Radios** area, you can choose which apps can turn a device's radio on or off.
@@ -918,7 +937,7 @@ To turn off **Choose apps that can control radios**:
- Turn off the feature in the UI for each app.
-### 14.13 Other devices
+### 16.14 Other devices
In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
@@ -936,14 +955,14 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
- Set the **Select a setting** box to **Force Deny**.
-### 14.14 Feedback & diagnostics
+### 16.15 Feedback & diagnostics
In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
To change how frequently **Windows should ask for my feedback**:
-**Note**
-Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
+> [!NOTE]
+> Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
@@ -977,7 +996,8 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**.
- > **Note:** You can't use the UI to change the telemetry level to **Security**.
+ > [!NOTE]
+ > You can't use the UI to change the telemetry level to **Security**.
@@ -1009,7 +1029,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- **3**. Maps to the **Full** level.
-### 14.15 Background apps
+### 16.16 Background apps
In the **Background Apps** area, you can choose which apps can run in the background.
@@ -1017,15 +1037,19 @@ To turn off **Let apps run in the background**:
- Turn off the feature in the UI for each app.
-### 15. Software Protection Platform
+### 17. Software Protection Platform
-Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
+Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
-**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation**
+
+ -or-
+
+- Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled.
The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
-### 16. Sync your settings
+### 18. Sync your settings
You can control if your settings are synchronized:
@@ -1051,13 +1075,13 @@ To turn off Messaging cloud sync:
- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
-### 17. Teredo
+### 19. Teredo
You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
- From an elevated command prompt, run **netsh interface teredo set state disabled**
-### 18. Wi-Fi Sense
+### 20. Wi-Fi Sense
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
@@ -1083,7 +1107,7 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
-### 19. Windows Defender
+### 21. Windows Defender
You can disconnect from the Microsoft Antimalware Protection Service.
@@ -1127,11 +1151,15 @@ You can stop downloading definition updates:
-and-
-- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
+- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
+
+You can stop Enhanced Notifications:
+
+- Turn off the feature in the UI.
You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
-### 20. Windows Media Player
+### 22. Windows Media Player
To remove Windows Media Player:
@@ -1141,9 +1169,15 @@ To remove Windows Media Player:
- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
-### 21. Windows spotlight
+### 23. Windows spotlight
-Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
+Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy.
+
+If you're running Windows 10, version 1607 or later, you only need to enable the following Group Policy:
+
+- **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
+
+If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
- Configure the following in **Settings**:
@@ -1162,7 +1196,8 @@ Windows spotlight provides different background images and text on the lock scre
- Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
- **Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**.
+ > [!NOTE]
+ > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**.
@@ -1170,15 +1205,15 @@ Windows spotlight provides different background images and text on the lock scre
- **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**.
-For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
+For more info, see [Windows Spotlight on the lock screen](../manage/windows-spotlight.md).
-### 22. Windows Store
+### 24. Windows Store
You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**.
-### 23. Windows Update Delivery Optimization
+### 25. Windows Update Delivery Optimization
Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
@@ -1186,38 +1221,40 @@ By default, PCs running Windows 10 Enterprise and Windows 10 Education will only
Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
-### 23.1 Settings > Update & security
+In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below.
+
+### 25.1 Settings > Update & security
You can set up Delivery Optimization from the **Settings** UI.
- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
-### 23.2 Delivery Optimization Group Policies
+### 25.2 Delivery Optimization Group Policies
You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**.
| Policy | Description |
|---------------------------|-----------------------------------------------------------------------------------------------------|
-| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including
|
-| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
** Note** This ID must be a GUID.|
+| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including
|
+| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
**Note:** This ID must be a GUID.|
| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).|
| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
-### 23.3 Delivery Optimization MDM policies
+### 25.3 Delivery Optimization MDM policies
The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
| Policy | Description |
|---------------------------|-----------------------------------------------------------------------------------------------------|
-| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including
|
+| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including
|
| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
**Note** This ID must be a GUID.|
| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).|
| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
-### 23.4 Delivery Optimization Windows Provisioning
+### 25.4 Delivery Optimization Windows Provisioning
If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
@@ -1233,7 +1270,7 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
-### 24. Windows Update
+### 26. Windows Update
You can turn off Windows Update by setting the following registry entries:
@@ -1243,6 +1280,11 @@ You can turn off Windows Update by setting the following registry entries:
- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+ -and-
+
+- Add a REG\_DWORD value called **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1.
+
+
You can turn off automatic updates by doing one of the following. This is not recommended.
- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md
index 1bd87ca5e2..c3bdd6979a 100644
--- a/windows/manage/manage-corporate-devices.md
+++ b/windows/manage/manage-corporate-devices.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: jdeckerMS
+localizationpriority: medium
---
# Manage corporate devices
@@ -48,7 +49,7 @@ Desktop devices running Windows 10 that are joined to an Active Directory domai
-
@@ -117,15 +118,14 @@ Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager &
[Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
-[New policies for Windows 10](new-policies-for-windows-10.md)
+- [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
+- [New policies for Windows 10](new-policies-for-windows-10.md)
+- [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
+- [Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
+- [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
+- [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md)
-[Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
-[Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
-
-[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
-
-
diff --git a/windows/manage/manage-settings-windows-store-for-business.md b/windows/manage/manage-settings-windows-store-for-business.md
index 9949754977..704d4d4401 100644
--- a/windows/manage/manage-settings-windows-store-for-business.md
+++ b/windows/manage/manage-settings-windows-store-for-business.md
@@ -37,7 +37,7 @@ You can add users and groups, as well as update some of the settings associated
- **Only guest** allows anyone to use the PC as a local standard (non-admin) account.
- **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
- **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
+| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.
Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. |
+| AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. |
+| AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. |
+| AccountManagement: EnableAccountManager | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. |
+| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. |
+| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. When **SetEduPolicies** is **True**, the following additional settings are applied:
- Local storage locations are restricted. Users can only save files to the cloud.
- Custom Start and taskbar layouts are set.\*
- A custom sign-in screen background image is set.\*
- Additional educational policies are applied (see full list below).
\*Only applies to Windows 10 Pro Education, Enterprise, and Education |
+| Customization: SetPowerPolicies | When set as **True**:
- Prevents users from changing power settings
- Turns off hibernate
- Overrides all power state transitions to sleep (e.g. lid close) |
+| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
+| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
+
+
+##Configuring shared PC mode on Windows
+You can configure Windows to be in shared PC mode in a couple different ways:
+- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune)
+
+
+
+- A provisioning package created with the Windows Imaging and Configuration Designer (ICD): You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in ICD as SharedPC.
+
+
+
+
+### Create a provisioning package for shared use
+
+Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+
+1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+
+2. On the **Start page**, select **Advanced provisioning**.
+
+3. Enter a name and (optionally) a description for the project, and click **Next**.
+
+4. Select **All Windows desktop editions**, and click **Next**.
+
+5. Click **Finish**. Your project opens in Windows ICD.
+
+6. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization)
+
+7. On the **File** menu, select **Save.**
+8. On the **Export** menu, select **Provisioning package**.
+9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+10. Set a value for **Package Version**.
+ > [!TIP]
+ > You can make changes to existing packages and change the version number to update previously applied packages.
+
+11. (*Optional*) In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+ - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+ > [!IMPORTANT]
+ > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
+
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+ Optionally, you can click **Browse** to change the default output location.
+13. Click **Next**.
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+ If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+ If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+ - Shared network folder
+
+ - SharePoint site
+
+ - Removable media (USB/SD) (select this option to apply to a PC during initial setup)
+
+
+### Apply the provisioning package
+
+You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up.
+
+**During initial setup**
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+ 
+
+2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. If there is only one provisioning package on the USB drive, you don't need to press the Windows key five times, Windows will automatically ask you if you want to set up the device. Select **Set up**.
+
+ 
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+ 
+
+5. Select **Yes, add it**.
+
+ 
+
+6. Read and accept the Microsoft Software License Terms.
+
+ 
+
+7. Select **Use Express settings**.
+
+ 
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+ 
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+ 
+
+10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+ 
+
+
+**After setup**
+
+On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install.
+
+
+
+> [!NOTE]
+> If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
+
+## Guidance for accounts on shared PCs
+
+* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
+* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out.
+* On a Windows PC joined to Azure Active Directory:
+ * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
+ * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
+* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out.
+* If admin accounts are necessary on the PC
+ * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
+ * Create admin accounts before setting up shared PC mode, or
+ * Create exempt accounts before signing out when turning shared pc mode on.
+* The account management service supports accounts that are exempt from deletion.
+ * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
+ * To add the account SID to the registry key using PowerShell:
+ ```
+ $adminName = "LocalAdmin"
+ $adminPass = 'Pa$$word123'
+ iex "net user /add $adminName $adminPass"
+ $user = New-Object System.Security.Principal.NTAccount($adminName)
+ $sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
+ $sid = $sid.Value;
+ New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
+ ```
+
+
+
+
+## Policies set by shared PC mode
+Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
+
+> [!IMPORTANT]
+> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
+
+
+
+
+
+
+
+## Related topics
+
+[Set up a device for anyone to use (kiosk)](set-up-a-device-for-anyone-to-use.md)
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/manage/settings-that-can-be-locked-down.md b/windows/manage/settings-that-can-be-locked-down.md
index a58bf463c0..fe4253fb64 100644
--- a/windows/manage/settings-that-can-be-locked-down.md
+++ b/windows/manage/settings-that-can-be-locked-down.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
+localizationpriority: high
---
# Settings and quick actions that can be locked down in Windows 10 Mobile
@@ -48,7 +49,7 @@ The following table lists the settings pages and page groups. Use the page name
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- Notifications and actions
+Notifications & actions
SettingsPageAppsNotifications
@@ -58,24 +59,24 @@ The following table lists the settings pages and page groups. Use the page name
- Message
+Messaging
SettingsPageMessaging
- Battery saver
+Battery
SettingsPageBatterySaver
+
+ Apps for websites
+SettingsPageAppsForWebsites
+
+
-
Storage
SettingsPageStorageSenseStorageOverview
-
- Device encryption
-SettingsPageGroupPCSystemDeviceEncryption
-
Driving mode
@@ -128,7 +129,7 @@ The following table lists the settings pages and page groups. Use the page name
- Cellular and sim
+Cellular & SIM
SettingsPageNetworkCellular
@@ -149,7 +150,7 @@ The following table lists the settings pages and page groups. Use the page name
Mobile hotspot
-SettingsPageInternetSharing
+SettingsPageNetworkMobileHotspot
-
@@ -181,10 +182,15 @@ The following table lists the settings pages and page groups. Use the page name
Lock screen
SettingsPageLockscreen
+
+
- Theme
-SettingsPageStartTheme
+Glance screen
+SettingsPageGlance
+
+
+ Navigation bar
+SettingsNagivationBar
Accounts
@@ -193,7 +199,7 @@ The following table lists the settings pages and page groups. Use the page name
- Your account
+Your info
SettingsPageAccountsPicture
@@ -203,39 +209,33 @@ The following table lists the settings pages and page groups. Use the page name
+
- Work access
-SettingsPageAccountsWorkplace
+Email & app accounts
+SettingsPageAccountsEmailApp
+
+
+ Access work or school
+SettingsPageWorkAccess
-
Sync your settings
SettingsPageAccountsSync
-
- SettingsPageKidsCorner
-
-
SettingsPageAppsCorner
-
- Provisioning
-SettingsPageProvisioningPage
-
-
Time and language
+Time & language
SettingsPageGroupTimeRegion
- Date and time
+Date & time
SettingsPageTimeRegionDateTime
@@ -275,7 +275,7 @@ The following table lists the settings pages and page groups. Use the page name
- High contracts
+High contrast
SettingsPageEaseoOfAccessHighContrast
@@ -315,7 +315,12 @@ The following table lists the settings pages and page groups. Use the page name
+
- Speech inking and typing
+Notifications
+SettingsPagePrivacyNotifications
+
+
+ Speech. inking, & typing
SettingsPagePrivacyPersonalization
@@ -335,6 +340,20 @@ The following table lists the settings pages and page groups. Use the page name
+
+ Phone calls
+SettingsPagePrivacyPhoneCall
+
+
+
+ Call history
+SettingsPagePrivacyCallHistory
+
+
+ Email
+SettingsPagePrivacyEmail
+
+
@@ -345,13 +364,18 @@ The following table lists the settings pages and page groups. Use the page name
Messaging
SettingsPagePrivacyMessaging
+
+ Continue App Experiences
+SettingsPagePrivacyCDP
+
+
Background apps
SettingsPagePrivacyBackgroundApps
- Accessory app0s
-SettingsPagePrivacyAccessories
+Accessory apps
+SettingsPageAccessories
+
@@ -378,6 +402,16 @@ The following table lists the settings pages and page groups. Use the page name
Phone update
SettingsPageRestoreMusUpdate
+
+
+ Windows Insider Program
+SettingsPageFlights
+
+
+ Device encryption
+SettingsPageGroupPCSystemDeviceEncryption
+
Backup
@@ -391,7 +425,7 @@ The following table lists the settings pages and page groups. Use the page name
For developers
-SettingsSystemDeveloperOptions
+SettingsPageSystemDeveloperOptions
OEM
@@ -426,19 +460,16 @@ You can specify the quick actions as follows:
+
+
-
+
-
+
-
+
diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/manage/stop-employees-from-using-the-windows-store.md
index dabf676bf5..3668ccb6d7 100644
--- a/windows/manage/stop-employees-from-using-the-windows-store.md
+++ b/windows/manage/stop-employees-from-using-the-windows-store.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, mobile
author: TrudyHa
+localizationpriority: high
---
# Configure access to Windows Store
diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md
index 38f4bd0b54..90469e91a6 100644
--- a/windows/manage/update-windows-store-for-business-account-settings.md
+++ b/windows/manage/update-windows-store-for-business-account-settings.md
@@ -110,7 +110,7 @@ Not all cards available in all countries. When you add a payment option, Store f
**To add a new payment option**
1. Sign in to [Store for Business](http://businessstore.microsoft.com).
-2. Click **Settings**, and then click **Account information**.
+2. Click **Manage**, and then click **Account information**.
3. Under **My payment options**, tap or click **Show my payment options**, and then select the type of credit card that you want to add.
4. Add information to any required fields, and then click **Next**.
@@ -118,13 +118,13 @@ Once you click Next, the information you provided will be validated with a tes
**Note**:
When adding credit or debit cards, you may be prompted to enter a CVV . The CVV is only used for verification purposes and is not stored in our systems after validation.
-**To update a payment option**:
+**To update a payment option**
1. Sign in to [Store for Business](http://businessstore.microsoft.com).
-2. Click **Settings**, and then click **Account information**.
-3. Under My payment options > Credit Cards, select the payment option that you want to update, and then click Update.
-4. Enter any updated information in the appropriate fields, and then click Next.
-Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
+2. Click **Manage**, and then click **Account information**.
+3. Under **My payment options** > **Credit Cards**, select the payment option that you want to update, and then click **Update**.
+4. Enter any updated information in the appropriate fields, and then click **Next**.
+Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
**Note**:
Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time or have a low balance.
@@ -132,6 +132,14 @@ Once you click Next, the information you provided will be validated with a tes
Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store.
+Admins can decide whether or not offline licenses are shown for apps in Windows Store for Business.
+
+**To set offline license visibility**
+
+1. Sign in to [Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then click **Account information**.
+3. Under **Offline licensing**, click **Show offline licensed apps to people shopping in the store** to show availability for both online and offline licenses.
+
You have the following distribution options for offline-licensed apps:
- Include the app in a provisioning package, and then use it as part of imaging a device.
- Distribute the app through a management tool.
diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md
index 3053aedc09..a7d4e10a34 100644
--- a/windows/manage/windows-10-mobile-and-mdm.md
+++ b/windows/manage/windows-10-mobile-and-mdm.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile, devices, security
author: AMeeus
+localizationpriority: high
---
# Windows 10 Mobile and mobile device management
diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md
index 34e40d5095..c41206fb4c 100644
--- a/windows/manage/windows-10-start-layout-options-and-policies.md
+++ b/windows/manage/windows-10-start-layout-options-and-policies.md
@@ -1,26 +1,29 @@
---
-title: Manage Windows 10 Start layout options (Windows 10)
-description: Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education.
+title: Manage Windows 10 Start and taskbar layout (Windows 10)
+description: Organizations might want to deploy a customized Start and taskbar layout to devices running Windows 10 Enterprise or Windows 10 Education.
ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A
keywords: ["start screen", "start menu"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
+localizationpriority: medium
---
-# Manage Windows 10 Start layout options
+# Manage Windows 10 Start and taskbar layout
**Applies to**
- Windows 10
-**Looking for consumer information?**
+> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu)
-- [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
+Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default.
-Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes.
+> **Note:** Taskbar configuration is available starting in Windows 10, version 1607.
+
+## Start options
@@ -29,11 +32,6 @@ Some areas of Start can be managed using Group Policy. The layout of Start tiles
The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table.
-
-
+ ## Taskbar options
+
+Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region.
+
+There are three categories of apps that might be pinned to a taskbar:
+* Apps pinned by the user
+* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store)
+* Apps pinned by the enterprise, such as in an unattended Windows setup
+
+ **Note**
+ The earlier method of using [TaskbarLinks](http://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607.
+
+The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
+
+> **Note** In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
+
+
+
+Whether you apply the taskbar configuration to a clean install or an update, users will still be able to:
+* Pin additional apps
+* Change the order of pinned apps
+* Unpin any app
+
+### Taskbar configuration applied to clean install of Windows 10
+
+In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied.
+
+### Taskbar configuration applied to Windows 10 upgrades
+
+When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup.
+
+The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior:
+* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right.
+* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned.
+* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right.
+* New apps specified in updated layout file are pinned to right of user's pinned apps.
+
+
## Related topics
[Customize and export Start layout](customize-and-export-start-layout.md)
-[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+
+[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
diff --git a/windows/manage/windows-spotlight.md b/windows/manage/windows-spotlight.md
new file mode 100644
index 0000000000..2af7597418
--- /dev/null
+++ b/windows/manage/windows-spotlight.md
@@ -0,0 +1,78 @@
+---
+title: Windows Spotlight on the lock screen (Windows 10)
+description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen.
+ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A
+keywords: ["lockscreen"]
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Windows Spotlight on the lock screen
+
+
+**Applies to**
+
+- Windows 10
+
+Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10.
+
+For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps.
+
+## What does Windows Spotlight include?
+
+
+- **Background image**
+
+ The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis.
+
+ 
+
+- **Feature suggestions, fun facts, tips**
+
+ The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
+
+## How do you turn off Windows spotlight locally?
+
+
+To turn off Windows Spotlight locally, go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background
+
+
+
+## How do you disable Windows Spotlight for managed devices?
+
+
+Windows 10, version 1607, provides three new Group Policy settings to help you manage Spotlight on employees' computers.
+
+**Windows 10 Pro, Enterprise, and Education**
+
+- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services.
+
+**Windows 10 Enterprise and Education**
+
+* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Spotlight features in a single setting.
+* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.)
+
+Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
+
+
+
+Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image.
+
+
+
+## Related topics
+
+
+[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/manage/windows-store-for-business-overview.md b/windows/manage/windows-store-for-business-overview.md
new file mode 100644
index 0000000000..e2a222e6ee
--- /dev/null
+++ b/windows/manage/windows-store-for-business-overview.md
@@ -0,0 +1,277 @@
+---
+title: Windows Store for Business overview (Windows 10)
+description: With the new Windows Store for Business, organizations can make volume purchases of Windows apps.
+ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C
+ms.prod: w10
+ms.pagetype: store, mobile
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Windows Store for Business overview
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
+
+## Features
+
+
+Organizations of any size can benefit from using the Store for Business provides:
+
+- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Businessare available to you, or you can integrate the Store for Businesswith management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
+
+- **Bulk app acquisition** - Acquire apps in volume from the Store for Business.
+
+- **Private store** - Curate a private store for your business that’s easily available from any Windows 10 device.
+
+- **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices:
+
+ - Distribute through Store for Business services. You can assign apps to individual employees, or make apps available to all employees in your private store.
+
+ - Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
+
+ - Offline licensing model allows you to distribute apps without connecting to Store services, and for managing images.
+
+- **Line-of-business apps** - Privately add and distribute your internal line-of-business apps using any of the distribution options.
+
+- **App license management**: Admins can reclaim and reuse app licenses. Online and offline licenses allow you to customize how you decide to deploy apps.
+
+- **Up-to-date apps** - The Store for Business manages the update process for apps with online licenses. Apps are automatically updated so you are always current with the most recent software updates and product features. Store for Business apps also uninstall cleanly, without leaving behind extra files, for times when you need to switch apps for specific employees.
+
+## Prerequisites
+
+
+You'll need this software to work with the Store for Business.
+
+### Required
+
+- IT Pros that are administering Store for Business need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox.
+
+- Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device.
+
+Microsoft Azure Active Directory (AD) accounts for your employees:
+
+- Admins need Azure AD accounts to sign up for the Store for Business, and then to sign in, get apps, distribute apps, and manage app licenses.
+
+- Employees need Azure AD account when they access Store for Business content from Windows devices.
+
+- If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
+
+- For offline-licensed apps, Azure AD accounts are not required for employees.
+
+For more information on Azure AD, see [About Office 365 and Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](http://go.microsoft.com/fwlink/p/?LinkId=708611).
+
+### Optional
+
+While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. A couple of things to note about management tools:
+
+- Need to integrate with Windows 10 management framework and Azure AD.
+
+- Need to sync with the Store for Business inventory to distribute apps.
+
+## How does the Store for Business work?
+
+
+### Sign up!
+
+The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization.
+
+For more information, see [Sign up for the Store for Business](../manage/sign-up-windows-store-for-business.md).
+
+### Set up
+
+After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions.
+
+
Start
@@ -93,8 +91,8 @@ The following table lists the different parts of Start and any applicable policy
+
+
+
+
+In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-windows-store-for-business.md).
+
+Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business.
+
+### Get apps and content
+
+Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time.
+
+**App types** -- These app types are supported in the Store for Business:
+
+- Universal Windows Platform apps
+
+- Universal Windows apps, by device: Phone, Surface Hub, IOT devices , HoloLens
+
+Apps purchased from the Store for Business only work on Windows 10 devices.
+
+Line-of-business (LOB) apps are also supported via the Business store. You can invite IT developers or ISVs to be LOB publishers for your organization. This allows them to submit apps via the developer center that are only available to your organization. These apps can be distributed using the distribution methods discussed in this topic. For more information, see Working with Line-of-Business apps.
+
+**App licensing model**
+
+The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
+
+For more information, see [Apps in the Store for Business](../manage/apps-in-windows-store-for-business.md#licensing-model).
+
+### Distribute apps and content
+
+App distribution is handled through two channels, either through the Store for Business, or using a management tool. You can use either or both distribution methods in your organization.
+
+**Using the Store for Business** – Distribution options for the Store for Business:
+
+- Email link – After purchasing an app, admins can send employees a link in an email message. Employees can click the link to install the app.
+
+- Curate private store for all employees – A private store can include content you’ve purchased from the Store, and your line-of-business apps that you’ve submitted to the Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
+
+- To use the options above users must be signed in with an Azure AD account on a Windows 10 device.
+
+**Using a management tool** – For larger organizations that might want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
+
+- Scoped content distribution – Ability to scope content distribution to specific groups of employees.
+
+- Install apps for employees – Employees are not responsible for installing apps. Management tool installs apps for employees.
+
+Management tools can synchronize content that has been acquired in the Store for Business. If an offline application has been purchased this will also include the app package, license and metadata for the app (like, icons, count, or localized product descriptions). Using the metadata, management tools can enable portals or apps as a destination for employees to acquire apps.
+
+For more information, see [Distribute apps to your employees from the Store for Business](../manage/distribute-apps-to-your-employees-windows-store-for-business.md).
+
+### Manage Store for Business settings and content
+
+Once you are signed up with the Business store and have purchased apps, Admins can manage Store for Business settings and inventory.
+
+**Manage Store for Business settings**
+
+- Assign and change roles for employees or groups
+
+- Device Guard signing
+
+- Register a management server to deploy and install content
+
+- Manage relationships with LOB publishers
+
+- Manage offline licenses
+
+- Update the name of your private store
+
+**Manage inventory**
+
+- Assign app licenses to employees
+
+- Reclaim and reassign app licenses
+
+- Manage app updates for all apps, or customize updates for each app. Online apps will automatically update from the Store. Offline apps can be updated using a management server.
+
+- Download apps for offline installs
+
+For more information, see [Manage settings in the Store for Business](../manage/manage-settings-windows-store-for-business.md) and [Manage apps](../manage/manage-apps-windows-store-for-business-overview.md).
+
+## Supported markets
+
+
+Store for Business is currently available in these markets.
+
+|Country or locale|Paid apps|Free apps|
+|-----------------|---------|---------|
+|Argentina|X|X|
+|Australia|X|X|
+|Austria|X|X|
+|Belgium (Dutch, French)|X|X|
+|Brazil| |X|
+|Canada (English, French)|X|X|
+|Chile|X|X|
+|Columbia|X|X|
+|Croatia|X|X|
+|Czech Republic|X|X|
+|Denmark|X|X|
+|Finland|X|X|
+|France|X|X|
+|Germany|X|X|
+|Greece|X|X|
+|Hong Kong SAR|X|X|
+|Hungary|X|X|
+|India| |X|
+|Indonesia|X|X|
+|Ireland|X|X|
+|Italy|X|X|
+|Japan|X|X|
+|Malaysia|X|X|
+|Mexico|X|X|
+|Netherlands|X|X|
+|New Zealand|X|X|
+|Norway|X|X|
+|Philippines|X|X|
+|Poland|X|X|
+|Portugal|X|X|
+|Romania|X|X|
+|Russia| |X|
+|Singapore|X|X|
+|Slovakia|X|X|
+|South Africa|X|X|
+|Spain|X|X|
+|Sweden|X|X|
+|Switzerland (French, German)|X|X|
+|Taiwan| |X|
+|Thailand|X|X|
+|Turkey|X|X|
+|Ukraine| |X|
+|United Kingdom|X|X|
+|United States|X|X|
+|Vietnam|X|X|
+
+## ISVs and the Store for Business
+
+
+Developers in your organization, or ISVs can create content specific to your organization. In the Store for Business, we call these app line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this:
+
+- Admin invites devs to be LOB publishers for your organization. These devs can be internal devs, or external ISVs.
+
+- LOB publishers accept the invitation, develop apps, and submits the app to the Windows Dev Center. LOB publishers use Enterprise associations when submitting the app to make the app exclusive to your organization.
+
+- Admin adds the app to Store for Business inventory.
+
+Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in the Store for Business. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in the Store for Business will work only on Windows 10.
+
+For more information on line-of-business apps, see [Working with Line-of-Business apps](../manage/working-with-line-of-business-apps.md).
diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md
index 86f527f088..803e29432b 100644
--- a/windows/plan/TOC.md
+++ b/windows/plan/TOC.md
@@ -1,6 +1,5 @@
# [Plan for Windows 10 deployment](index.md)
-## [Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md)
-## [Windows 10 servicing overview](windows-10-servicing-options.md)
+## [Windows 10 servicing options](windows-10-servicing-options.md)
## [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
## [Windows 10 compatibility](windows-10-compatibility.md)
## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
@@ -14,29 +13,99 @@
### [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
### [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
## [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md)
-### [Standard User Analyzer (SUA) User's Guide](sua-users-guide.md)
-#### [Using the SUA Wizard](using-the-sua-wizard.md)
-#### [Using the SUA Tool](using-the-sua-tool.md)
-##### [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
-##### [Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
-##### [Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md)
-##### [Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)
-### [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-#### [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
-##### [Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)
-##### [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md)
-##### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)
-##### [Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md)
-##### [Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
-##### [Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)
-##### [Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)
-##### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)
-##### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)
-#### [Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
-##### [Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md)
-##### [Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md)
-##### [Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md)
-#### [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)
+### [Welcome to ACT](welcome-to-act.md)
+#### [What's New in ACT 6.1](whats-new-in-act-60.md)
+#### [Software Requirements for ACT](software-requirements-for-act.md)
+#### [Software Requirements for RAP](software-requirements-for-rap.md)
+### [Configuring ACT](configuring-act.md)
+#### [ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
+#### [ACT Deployment Options](act-deployment-options.md)
+#### [ACT Database Configuration](act-database-configuration.md)
+#### [ACT Database Migration](act-database-migration.md)
+#### [ACT LPS Share Permissions](act-lps-share-permissions.md)
+### [Using ACT](using-act.md)
+#### [Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
+##### [Identifying Computers for Inventory Collection](identifying-computers-for-inventory-collection.md)
+##### [Creating an Inventory-Collector Package](creating-an-inventory-collector-package.md)
+##### [Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md)
+#### [Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
+##### [Deciding Which Applications to Test](deciding-which-applications-to-test.md)
+##### [Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
+##### [Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
+##### [Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
+##### [Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
+###### [Using Compatibility Monitor to Send Feedback](using-compatibility-monitor-to-send-feedback.md)
+###### [Common Compatibility Issues](common-compatibility-issues.md)
+#### [Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
+##### [Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)
+##### [Exporting a Data-Collection Package](exporting-a-data-collection-package.md)
+##### [Deleting a Data-Collection Package](deleting-a-data-collection-package.md)
+##### [Labeling Data in ACM](labeling-data-in-acm.md)
+#### [Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
+##### [Viewing Your Compatibility Reports](viewing-your-compatibility-reports.md)
+###### [<OperatingSystem> - Application Report](act-operatingsystem-application-report.md)
+####### [<Application> Dialog Box](application-dialog-box.md)
+###### [<OperatingSystem> - Computer Report](act-operatingsystem-computer-report.md)
+####### [<Computer> Dialog Box](computer-dialog-box.md)
+###### [<OperatingSystem> - Device Report](act-operatingsystem-device-report.md)
+####### [<Device> Dialog Box](device-dialog-box.md)
+###### [Internet Explorer - Web Site Report](internet-explorer-web-site-report.md)
+####### [<WebsiteURL> Dialog Box](websiteurl-dialog-box.md)
+###### [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md)
+###### [Customizing Your Report Views](customizing-your-report-views.md)
+##### [Organizing Your Compatibility Data](organizing-your-compatibility-data.md)
+###### [Organizational Tasks for Each Report Type](organizational-tasks-for-each-report-type.md)
+###### [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md)
+###### [Selecting Your Deployment Status](selecting-your-deployment-status.md)
+###### [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md)
+###### [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md)
+###### [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md)
+###### [Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md)
+####### [Adding or Editing an Issue](adding-or-editing-an-issue.md)
+####### [Adding or Editing a Solution](adding-or-editing-a-solution.md)
+####### [Resolving an Issue](resolving-an-issue.md)
+##### [Filtering Your Compatibility Data](filtering-your-compatibility-data.md)
+###### [Example Filter Queries](example-filter-queries.md)
+##### [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)
+###### [Data Sent Through the Microsoft Compatibility Exchange](data-sent-through-the-microsoft-compatibility-exchange.md)
+###### [ACT Community Ratings and Process](act-community-ratings-and-process.md)
+#### [Fixing Compatibility Issues](fixing-compatibility-issues.md)
+##### [Deciding Whether to Fix an Application or Deploy a Workaround](deciding-whether-to-fix-an-application-or-deploy-a-workaround.md)
+##### [SUA User's Guide](sua-users-guide.md)
+###### [Using the SUA Wizard](using-the-sua-wizard.md)
+###### [Using the SUA Tool](using-the-sua-tool.md)
+####### [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
+####### [Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
+####### [Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md)
+####### [Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)
+##### [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+###### [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
+####### [Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)
+####### [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md)
+####### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)
+####### [Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md)
+####### [Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
+####### [Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)
+####### [Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)
+####### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)
+####### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)
+###### [Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
+####### [Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md)
+####### [Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md)
+####### [Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md)
+###### [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)
+### [Troubleshooting ACT](troubleshooting-act.md)
+#### [Troubleshooting the ACT Configuration Wizard](troubleshooting-the-act-configuration-wizard.md)
+#### [Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md)
+#### [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md)
+### [ACT User Interface Reference](act-user-interface-reference.md)
+#### [Toolbar Icons in ACM](act-toolbar-icons-in-acm.md)
+#### [Ratings Icons in ACM](ratings-icons-in-acm.md)
+#### [Activating and Closing Windows in ACM](activating-and-closing-windows-in-acm.md)
+#### [Settings for ACM](settings-for-acm.md)
+##### [Settings Dialog Box - Settings Tab](act-settings-dialog-box-settings-tab.md)
+##### [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md)
+### [ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
+### [ACT Glossary](act-glossary.md)
### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
-
-
+## [Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md)
\ No newline at end of file
diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
index 3fdb201110..a5aa2b6a47 100644
--- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md
+++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
@@ -13,6 +13,12 @@ author: TrudyHa
This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+
+## RELEASE: Windows 10, version 1607
+
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
+
+
## July 2016
@@ -21,6 +27,7 @@ This topic lists new and updated topics in the [Plan for Windows 10 deployment](
|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) |Redirected deprecated content to the [Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md) content. Only Standard User Analyzer and Compatibility Administrator continue to be supported.|
| [Windows 10 servicing overview](windows-10-servicing-options.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](../manage/introduction-to-windows-10-servicing.md) page. |
+
## May 2016
diff --git a/windows/plan/index.md b/windows/plan/index.md
index e8c8cdb020..1a3583938b 100644
--- a/windows/plan/index.md
+++ b/windows/plan/index.md
@@ -15,14 +15,14 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
## In this section
|Topic |Description |
|------|------------|
-|[Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md) |This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
-|[Windows 10 servicing overview](windows-10-servicing-options.md) |Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. |
+|[Windows 10 servicing options](windows-10-servicing-options.md) |Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. |
|[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. |
|[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. |
|[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. |
|[Windows Update for Business](windows-update-for-business.md) |Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. |
|[Windows To Go: feature overview](windows-to-go-overview.md) |Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. |
|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) |The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. |
+|[Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md) |This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
## Related topics
- [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md)
diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md
index 6ac55f7ffc..de610fd342 100644
--- a/windows/plan/windows-10-servicing-options.md
+++ b/windows/plan/windows-10-servicing-options.md
@@ -72,6 +72,7 @@ Windows 10 enables organizations to fulfill the desire to provide users with the
## Related topics
+[Windows 10 release information](https://technet.microsoft.com/windows/release-info)
+
+
+
+Permission
+Account settings
+Acquire apps
+Distribute apps
+Device Guard signing
+
+
+
+
+
+
+
+
+
+
+
+
+
+
[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
[Windows 10 compatibility](windows-10-compatibility.md)
[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
\ No newline at end of file
diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md
index c8901b35ec..c672a255a8 100644
--- a/windows/whats-new/TOC.md
+++ b/windows/whats-new/TOC.md
@@ -1,20 +1,5 @@
# [What's new in Windows 10](index.md)
-## [Change history for What's new in Windows 10](change-history-for-what-s-new-in-windows-10.md)
-## [AppLocker](applocker.md)
-## [BitLocker](bitlocker.md)
-## [Browser: Microsoft Edge and Internet Explorer 11](edge-ie11-whats-new-overview.md)
-## [Credential Guard](credential-guard.md)
-## [Device Guard](device-guard-overview.md)
-## [Enterprise data protection (EDP)](edp-whats-new-overview.md)
-## [Enterprise management for Windows 10 devices](device-management.md)
-## [Lockdown features from Windows Embedded Industry 8.1](lockdown-features-windows-10.md)
-## [Microsoft Passport](microsoft-passport.md)
-## [Provisioning packages](new-provisioning-packages.md)
-## [Security](security.md)
-## [Security auditing](security-auditing.md)
-## [Trusted Platform Module](trusted-platform-module.md)
-## [User Account Control](user-account-control.md)
-## [Windows spotlight on the lock screen](windows-spotlight.md)
-## [Windows Store for Business overview](windows-store-for-business-overview.md)
-## [Windows Update for Business](windows-update-for-business.md)
+## [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md)
+## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md)
+
diff --git a/windows/whats-new/applocker.md b/windows/whats-new/applocker.md
index 1c14abc6dc..eded8c7862 100644
--- a/windows/whats-new/applocker.md
+++ b/windows/whats-new/applocker.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
+redirect_url: whats-new-windows-10-version-1507-and-1511.md
---
# What's new in AppLocker?
diff --git a/windows/whats-new/bitlocker.md b/windows/whats-new/bitlocker.md
index 4e9d0f7b61..0176decb20 100644
--- a/windows/whats-new/bitlocker.md
+++ b/windows/whats-new/bitlocker.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security, mobile
author: brianlic-msft
+redirect_url: whats-new-windows-10-version-1507-and-1511.md
---
# What's new in BitLocker?
diff --git a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md
index 14362dd08c..750a878d7d 100644
--- a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md
+++ b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md
@@ -11,6 +11,7 @@ author: TrudyHa
# Change history for What's new in Windows 10
This topic lists new and updated topics in the [What's new in Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+
## April 2016
|New or changed topic |Description |
diff --git a/windows/whats-new/credential-guard.md b/windows/whats-new/credential-guard.md
index 48f7a4f853..02ff200227 100644
--- a/windows/whats-new/credential-guard.md
+++ b/windows/whats-new/credential-guard.md
@@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
+redirect_url: whats-new-windows-10-version-1507-and-1511.md
---
# What's new in Credential Guard?
diff --git a/windows/whats-new/device-management.md b/windows/whats-new/device-management.md
index 4ea023327b..52e09d3d1a 100644
--- a/windows/whats-new/device-management.md
+++ b/windows/whats-new/device-management.md
@@ -7,118 +7,11 @@ ms.pagetype: devices, mobile
ms.mktglfcycl: explore
ms.sitesec: library
author: jdeckerMS
+redirect_url: /whats-new/whats-new-windows-10-version-1507-and-1511
---
# Enterprise management for Windows 10 devices
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
-
-## MDM support
-
-
-MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Windows Store, VPN configuration, and more. To learn more about policies, see [Configuration service provider reference for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=533046).
-
-MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](http://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
-
-Corporate-owned devices can be enrolled automatically for enterprises using Azure AD.
-
-## Unenrollment
-
-
-When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device.
-
-When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed.
-
-## Infrastructure
-
-
-Enterprises have the following identity and management choices.
-
-| Area | Choices |
-|---|---|
-| Identity | Active Directory; Azure AD |
-| Grouping | Domain join; Workgroup; Azure AD join |
-| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
-
-
-
-**Note**
-With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](http://go.microsoft.com/fwlink/p/?LinkID=613512).
-
-
-
-## Device lockdown
-
-
-Do you need a computer that can only do one thing? For example:
-
-- A device in the lobby that customers can use to view your product catalog.
-
-- A portable device that drivers can use to check a route on a map.
-
-- A device that a temporary worker uses to enter data.
-
-You can configure a persistent locked down state to create a kiosk-type device. When the locked-down account is logged on, the device displays only the app that you select.
-
-You can also configure a lockdown state that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify.
-
-Lockdown settings can also be configured for device look and feel, such as a theme or a custom layout on the Start screen.
-
-## Updates
-
-
-With Windows 10, your enterprise will have more choice and flexibility in applying operating system updates. You can manage and control updates to devices running Windows 10 Pro and Windows 10 Enterprise using MDM policies.
-
-While Windows Update provides updates to unmanaged devices, most enterprises prefer to manage and control the flow of updates using their device management solution. You can choose to apply the latest updates as soon as they are available, or you can set a source and schedule for updates that works for your specific requirements.
-
-For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md).
-
-## Easier certificate management
-
-
-For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Microsoft Passport in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device.
-
-## Learn more
-
-
-[Windows 10: Manageability Choices](http://go.microsoft.com/fwlink/p/?LinkId=533886)
-
-[Windows 10: Management](http://go.microsoft.com/fwlink/p/?LinkId=533887)
-
-[Windows 10 Technical Preview Fundamentals for IT Pros: Windows 10 Management and Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533888)
-
-[Reference for Mobile device management for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=533172)
-
-Active Directory blog posts on Azure AD and Windows 10:
-
-- [Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility!](http://go.microsoft.com/fwlink/p/?LinkId=619025)
-
-- [Azure AD Join on Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkID=616791)
-
-- [Azure AD on Windows 10 Personal Devices]( http://go.microsoft.com/fwlink/p/?LinkId=619028)
-
-- [Azure Active Directory and Windows 10: Bringing the cloud to enterprise desktops!](http://go.microsoft.com/fwlink/p/?LinkID=615765)
-
-## Related topics
-
-
-[Manage corporate devices](../manage/manage-corporate-devices.md)
-
-[Microsoft Passport](microsoft-passport.md)
-
-[Enterprise Data Protection Overview](edp-whats-new-overview.md)
-
-
-
-
-
-
-
+This page has been redirected to **What's new in Windows 10, versions 1507 and 1511**.
diff --git a/windows/whats-new/edge-ie11-whats-new-overview.md b/windows/whats-new/edge-ie11-whats-new-overview.md
index 9370b6beb5..8c053fd990 100644
--- a/windows/whats-new/edge-ie11-whats-new-overview.md
+++ b/windows/whats-new/edge-ie11-whats-new-overview.md
@@ -1,56 +1,6 @@
---
title: Browser Microsoft Edge and Internet Explorer 11 (Windows 10)
description: Resources to help you explore the Windows 10 browsing options for your enterprise.
-ms.assetid: e986f903-69ad-4145-9d24-0c6d04b3e489
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: mobile
-author: eross-msft
+redirect_url: https://technet.microsoft.com/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11
---
-# Browser: Microsoft Edge and Internet Explorer 11
-**Microsoft Edge content applies to:**
-
-- Windows 10
-- Windows 10 Mobile
-
-**Internet Explorer 11 content applies to:**
-
-- Windows 10
-
-## Enterprise guidance
-Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956).
-
-We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
-
-### Microsoft Edge
-Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
-
-- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
-- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
-- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
-- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
-
-### IE11
-IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.
-
-- **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.
-- **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps.
-- **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.
-- **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.
-- **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.
-- **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
-
-## Related topics
-- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
-- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
-- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
-- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
-- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index)
-- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
-
-
-
-
-
diff --git a/windows/whats-new/edp-whats-new-overview.md b/windows/whats-new/edp-whats-new-overview.md
index 4b157c50e8..a6816c161f 100644
--- a/windows/whats-new/edp-whats-new-overview.md
+++ b/windows/whats-new/edp-whats-new-overview.md
@@ -1,81 +1,5 @@
---
title: Enterprise data protection (EDP) overview (Windows 10)
description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud.
-ms.assetid: 428A3135-CB5E-478B-B1FF-B6EB76F0DF14
-keywords: EDP Overview, EDP
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: mobile, security
-author: eross-msft
----
-
-# Enterprise data protection (EDP) overview
-
-**Applies to:**
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-
-Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
-
-## Benefits of EDP
-
-EDP provides:
-- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
-
-- Additional data protection for existing line-of-business apps without a need to update the apps.
-
-- Ability to wipe corporate data from devices while leaving personal data alone.
-
-- Use of audit reports for tracking issues and remedial actions.
-
-- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager (version 1511 or later), or your current mobile device management (MDM) system) to configure, deploy, and manage EDP for your company.
-
-## Enterprise scenarios
-EDP currently addresses these enterprise scenarios:
-- You can encrypt enterprise data on employee-owned and corporate-owned devices.
-
-- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
-
-- You can select specific apps that can access enterprise data, called "allowed apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data.
-
-- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
-
-## Why use EDP?
-EDP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-
-- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. EDP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
-
-- **Manage your enterprise documents, apps, and encryption modes.**
-
- - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device.
-
- - **Using allowed apps.** Managed apps (apps that you've included on the allowed apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
-
- - **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your EDP management-mode.
-
- You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in your protected apps list.
-
- - **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list.
-
- - **Data encryption at rest.** EDP helps protect enterprise data on local files and on removable media.
-
- Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document.
-
- - **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
-
- - **Helping prevent accidental data disclosure to removable media.** EDP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
-
- - **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
-
-## Turn off EDP
-
-You can turn off all enterprise data protection and restrictions, reverting to where you were pre-EDP, with no data loss. However, turning off EDP isn't recommended. If you choose to turn it off, you can always turn it back on, but EDP won't retain your decryption and policies info.
-
-## Related topics
-- [Protect your enterprise data using enterprise data protection (EDP)](../keep-secure/protect-enterprise-data-using-edp.md)
-
\ No newline at end of file
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip
+---
\ No newline at end of file
diff --git a/windows/whats-new/images/ICD.png b/windows/whats-new/images/ICD.png
new file mode 100644
index 0000000000..9cfcb845df
Binary files /dev/null and b/windows/whats-new/images/ICD.png differ
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
index 91bd262819..a49967a2c0 100644
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@@ -2,119 +2,35 @@
title: What's new in Windows 10 (Windows 10)
description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Microsoft Passport, Device Guard, and more.
ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44
-keywords: ["What's new in Windows 10", "Windows 10"]
+keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"]
ms.prod: w10
author: TrudyHa
+localizationpriority: high
---
# What's new in Windows 10
-Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Microsoft Passport, Device Guard, and more. These technical overviews are designed to help you understand key feature changes and benefits and answer common questions about Windows 10 technologies.
+Windows 10 provides IT professionals with advanced protection against modern security threats and comprehensive management and control over devices and apps, as well as flexible deployment, update, and support options. Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more.
## In this section
+- [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md)
+- [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md)
+
-
-
## Learn more
-
-[Windows 10 content from Microsoft Ignite](http://go.microsoft.com/fwlink/p/?LinkId=613210)
-
-[Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkId=690485)
-
-## Related topics
+- [Windows 10 roadmap](https://www.microsoft.com/en-us/WindowsForBusiness/windows-roadmap)
+- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info)
+- [Windows 10 update history](https://support.microsoft.com/en-us/help/12387/windows-10-update-history)
+- [Windows 10 content from Microsoft Ignite](http://go.microsoft.com/fwlink/p/?LinkId=613210)
+- [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkId=690485)
-[Windows 10 and Windows 10 Mobile](../index.md)
diff --git a/windows/whats-new/lockdown-features-windows-10.md b/windows/whats-new/lockdown-features-windows-10.md
index 7df7446f4e..90a8a04ba6 100644
--- a/windows/whats-new/lockdown-features-windows-10.md
+++ b/windows/whats-new/lockdown-features-windows-10.md
@@ -8,108 +8,9 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
+redirect_url: /manage/lockdown-features-windows-10
---
# Lockdown features from Windows Embedded 8.1 Industry
-**Applies to**
-- Windows 10
-- Windows 10 Mobile
-
-Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+This topic has been redirected.
\ No newline at end of file
diff --git a/windows/whats-new/microsoft-passport.md b/windows/whats-new/microsoft-passport.md
index 0165451cb8..57ac5201dc 100644
--- a/windows/whats-new/microsoft-passport.md
+++ b/windows/whats-new/microsoft-passport.md
@@ -1,40 +1,16 @@
---
-title: Microsoft Passport overview (Windows 10)
-description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication.
+title: Windows Hello overview (Windows 10)
+description: In Windows 10, Windows Hello replaces passwords with strong two-factor authentication.
ms.assetid: 292F3BE9-3651-4B20-B83F-85560631EF5B
-keywords: password, hello, fingerprint, iris, biometric
+keywords: password, hello, fingerprint, iris, biometric, passport
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: mobile, security
author: jdeckerMS
+redirect_url: /whats-new/whats-new-windows-10-version-1607
---
-# Microsoft Passport overview
-**Applies to**
-- Windows 10
-- Windows 10 Mobile
+# Windows Hello overview
-In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
-
-Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports [Fast ID Online (FIDO)](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
-Microsoft Passport also enables Windows 10 Mobile devices to be used as a remote credential when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the user’s Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions
-
-## Benefits of Microsoft Passport
-
-- **User convenience**. The employee provides credentials (such as account and password, or other credentials), and is then guided to set up Microsoft Passport and Hello. From that point on, the employee can access enterprise resources by providing a gesture.
-- **Security**. Microsoft Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Microsoft
-
-Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of Trusted Platform Modules (TPMs).
-[Learn how to implement and manage Microsoft Passport in your organization.](../keep-secure/implement-microsoft-passport-in-your-organization.md)
-
-## Learn more
-
-[Why a PIN is better than a password](../keep-secure/why-a-pin-is-better-than-a-password.md)
-[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](http://go.microsoft.com/fwlink/p/?LinkId=533890)
-[Windows 10: The End Game for Passwords and Credential Theft?](http://go.microsoft.com/fwlink/p/?LinkId=533891)
-
-## Related topics
-[Device management](device-management.md)
-
-
+This topic has been redirected.
\ No newline at end of file
diff --git a/windows/whats-new/new-provisioning-packages.md b/windows/whats-new/new-provisioning-packages.md
index 1cdff3fc09..1b82f732b1 100644
--- a/windows/whats-new/new-provisioning-packages.md
+++ b/windows/whats-new/new-provisioning-packages.md
@@ -7,102 +7,10 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
+redirect_url: /deploy/provisioning-packages
---
# Provisioning packages
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
-
-Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
-
-## Benefits of provisioning packages
-
-
-Provisioning packages let you:
-
-- Quickly configure a new device without going through the process of installing a new image.
-
-- Save time by configuring multiple devices using one provisioning package.
-
-- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure.
-
-- Set up a device without the device having network connectivity.
-
-Provisioning packages can be:
-
-- Installed using removable media such as an SD card or USB flash drive.
-
-- Attached to an email.
-
-- Downloaded from a network share.
-
-## What you can configure
-
-
-The following table provides some examples of what can be configured using provisioning packages.
-
-| Customization options | Examples |
-|--------------------------|-----------------------------------------------------------------------------------------------|
-| Applications | Windows apps, line-of-business applications |
-| Bulk enrollment into MDM | Automatic enrollment into Microsoft Intune or a third-party MDM service |
-| Certificates | Root certification authority (CA), client certificates |
-| Connectivity profiles | Wi-Fi, proxy settings, Email |
-| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
-| Data assets | Documents, music, videos, pictures |
-| Start menu customization | Start menu layout, application pinning |
-| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on |
-
-
-
-For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
-
-## Creating a provisioning package
-
-
-With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must install the Windows Assessment and Deployment Kit (ADK) for Windows 10[from the Windows Insider Program site](http://go.microsoft.com/fwlink/p/?linkid=533700).
-
-While running ADKsetup.exe, select the following features from the **Select the features you want to install** dialog box:
-
-- Deployment Tools
-
-- Windows Preinstallation Environment (Windows PE)
-
-- Windows Imaging and Configuration Designer (ICD)
-
-- Windows User State Migration Tool (USMT)
-
-Windows ICD depends on other tools in order to work correctly. If you only select Windows ICD in the installation wizard, the other tools listed above will also be selected for installation.
-
-Once you have installed Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
-
-## Applying a provisioning package to a device
-
-
-Provisioning packages can be applied both during image deployment and during runtime. For information on how to apply a provisioning package to a Windows 10-based device, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
-
-## Learn more
-
-
-[Windows 10: Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533708)
-
-## Related topics
-
-
-[Update Windows 10 images with provisioning packages](../deploy/update-windows-10-images-with-provisioning-packages.md)
-
-[Configure devices without MDM](../manage/configure-devices-without-mdm.md)
-
-
-
-
-
-
-
-
-
+This topic has been redirected.
\ No newline at end of file
diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md
index 13c6a7e5b8..c597c177b0 100644
--- a/windows/whats-new/security-auditing.md
+++ b/windows/whats-new/security-auditing.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
ms.pagetype: security, mobile
+redirect_url: whats-new-windows-10-version-1507-and-1511.md
---
# What's new in security auditing?
diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md
index 18a325aa7f..91f4646825 100644
--- a/windows/whats-new/trusted-platform-module.md
+++ b/windows/whats-new/trusted-platform-module.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security, mobile
author: brianlic-msft
+redirect_url: whats-new-windows-10-version-1507-and-1511.md
---
# What's new in Trusted Platform Module?
diff --git a/windows/whats-new/user-account-control.md b/windows/whats-new/user-account-control.md
index fad8ee0ff5..7933086c5d 100644
--- a/windows/whats-new/user-account-control.md
+++ b/windows/whats-new/user-account-control.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
+redirect_url: whats-new-windows-10-version-1507-and-1511.md
---
# What's new in User Account Control?
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
new file mode 100644
index 0000000000..1e0c6c19dd
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -0,0 +1,356 @@
+---
+title: What's new in Windows 10, versions 1507 and 1511 (Windows 10)
+description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile.
+ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: TrudyHa
+localizationpriority: high
+---
+
+# What's new in Windows 10, versions 1507 and 1511
+
+Below is a list of some of the new and updated features included in the initial release of Windows 10 (version 1507) and the Windows 10 update to version 1511.
+
+> **Note:** For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info).
+
+## Deployment
+
+### Provisioning devices using Windows Imaging and Configuration Designer (ICD)
+
+With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
+
+[Learn more about provisioning in Windows 10.](../deploy/provisioning-packages.md)
+
+
+## Security
+
+### Applocker
+
+#### New Applocker features in Windows 10, version 1507
+
+- A new parameter was added to the [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
+- A new [AppLocker](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
+- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx).
+
+[Learn how to manage AppLocker within your organization](../keep-secure/applocker-overview.md).
+
+### Bitlocker
+
+#### New Bitlocker features in Windows 10, version 1511
+
+- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
+ It provides the following benefits:
+ - The algorithm is FIPS-compliant.
+ - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
+ >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
+
+#### New Bitlocker features in Windows 10, version 1507
+
+- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](http://technet.microsoft.com/library/dn306081.aspx#bkmk-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.
+- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
+- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the "Configure pre-boot recovery message and URL" section in [BitLocker Group Policy settings](../keep-secure/bitlocker-group-policy-settings.md).
+
+[Learn how to deploy and manage BitLocker within your organization](../keep-secure/bitlocker-overview.md).
+
+### Credential Guard
+
+#### New Credential Guard features in Windows 10, version 1511
+
+- **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations:
+ - Credentials that are saved by the Remote Desktop Protocol cannot be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials.
+ - Applications that extract derived domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved derived credentials.
+ - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
+- **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy.
+- **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled.
+
+[Learn how to deploy and manage Credential Guard within your organization](../keep-secure/credential-guard.md).
+
+### Easier certificate management
+
+
+For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](~/keep-secure/installing-digital-certificates-on-windows-10-mobile.md)
+
+### Microsoft Passport
+
+In Windows 10, [Microsoft Passport](~/keep-secure/manage-identity-verification-using-microsoft-passport.md) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
+
+Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
+
+### Security auditing
+
+#### New Security auditing features in Windows 10, version 1511
+
+- The [WindowsSecurityAuditing](http://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](http://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices.
+
+#### New features in Windows 10, version 1507
+
+In Windows 10, security auditing has added some improvements:
+- [New audit subcategories](#bkmk-auditsubcat)
+- [More info added to existing audit events](#bkmk-moreinfo)
+
+##### New audit subcategories
+
+In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
+- [Audit Group Membership](../keep-secure/audit-group-membership.md) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
+ When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event.
+- [Audit PNP Activity](../keep-secure/audit-pnp-activity.md) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
+ Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
+ A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
+
+##### More info added to existing audit events
+
+With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
+- [Changed the kernel default audit policy](#bkmk-kdal)
+- [Added a default process SACL to LSASS.exe](#bkmk-lsass)
+- [Added new fields in the logon event](#bkmk-logon)
+- [Added new fields in the process creation event](#bkmk-logon)
+- [Added new Security Account Manager events](#bkmk-sam)
+- [Added new BCD events](#bkmk-bcd)
+- [Added new PNP events](#bkmk-pnp)
+
+##### Changed the kernel default audit policy
+
+In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
+
+##### Added a default process SACL to LSASS.exe
+
+In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
+This can help identify attacks that steal credentials from the memory of a process.
+
+##### New fields in the logon event
+
+The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
+1. **MachineLogon** String: yes or no
+ If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no.
+2. **ElevatedToken** String: yes or no
+ If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown.
+3. **TargetOutboundUserName** String
+ **TargetOutboundUserDomain** String
+ The username and domain of the identity that was created by the LogonUser method for outbound traffic.
+4. **VirtualAccount** String: yes or no
+ If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no.
+5. **GroupMembership** String
+ A list of all of the groups in the user's token.
+6. **RestrictedAdminMode** String: yes or no
+ If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes.
+ For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx).
+
+##### New fields in the process creation event
+
+The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
+1. **TargetUserSid** String
+ The SID of the target principal.
+2. **TargetUserName** String
+ The account name of the target user.
+3. **TargetDomainName** String
+ The domain of the target user..
+4. **TargetLogonId** String
+ The logon ID of the target user.
+5. **ParentProcessName** String
+ The name of the creator process.
+6. **ParentProcessId** String
+ A pointer to the actual parent process if it's different from the creator process.
+
+##### New Security Account Manager events
+
+In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
+- SamrEnumerateGroupsInDomain
+- SamrEnumerateUsersInDomain
+- SamrEnumerateAliasesInDomain
+- SamrGetAliasMembership
+- SamrLookupNamesInDomain
+- SamrLookupIdsInDomain
+- SamrQueryInformationUser
+- SamrQueryInformationGroup
+- SamrQueryInformationUserAlias
+- SamrGetMembersInGroup
+- SamrGetMembersInAlias
+- SamrGetUserDomainPasswordInformation
+
+##### New BCD events
+
+Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD):
+- DEP/NEX settings
+- Test signing
+- PCAT SB simulation
+- Debug
+- Boot debug
+- Integrity Services
+- Disable Winload debugging menu
+
+##### New PNP events
+
+Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
+
+[Learn how to manage your security audit policies within your organization](../keep-secure/security-auditing-overview.md).
+
+### Trusted Platform Module
+
+#### New TPM features in Windows 10, version 1511
+
+- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
+
+#### New TPM features in Windows 10, version 1507
+
+The following sections describe the new and changed functionality in the TPM for Windows 10:
+- [Device health attestation](#bkmk-dha)
+- [Microsoft Passport](microsoft-passport.md) support
+- [Device Guard](device-guard-overview.md) support
+- [Credential Guard](../keep-secure/credential-guard.md) support
+
+### Device health attestation
+
+Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
+Some things that you can check on the device are:
+- Is Data Execution Prevention supported and enabled?
+- Is BitLocker Drive Encryption supported and enabled?
+- Is SecureBoot supported and enabled?
+
+> **Note** The device must be running Windows 10 and it must support at least TPM 2.0.
+
+[Learn how to deploy and manage TPM within your organization](../keep-secure/trusted-platform-module-overview.md).
+
+### User Account Control
+
+User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
+
+You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
+
+For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](../keep-secure/user-account-control-group-policy-and-registry-key-settings.md).
+
+In Windows 10, User Account Control has added some improvements.
+
+#### New User Account Control features in Windows 10, version 1507
+
+- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](http://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
+
+[Learn how to manage User Account Control within your organization](../keep-secure/user-account-control-overview.md).
+
+### VPN profile options
+
+Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including:
+• Always-on auto connection behavior
+• App=triggered VPN
+• VPN traffic filters
+• Lock down VPN
+• Integration with Microsoft Passport for Work
+
+[Learn more about the VPN options in Windows 10.](../keep-secure/vpn-profile-options.md)
+
+
+## Management
+
+Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
+
+### MDM support
+
+
+MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Windows Store, VPN configuration, and more.
+
+MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](http://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
+
+Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=533172)
+
+### Unenrollment
+
+
+When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device.
+
+When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed.
+
+### Infrastructure
+
+
+Enterprises have the following identity and management choices.
+
+| Area | Choices |
+|---|---|
+| Identity | Active Directory; Azure AD |
+| Grouping | Domain join; Workgroup; Azure AD join |
+| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
+
+ > **Note**
+With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](http://go.microsoft.com/fwlink/p/?LinkID=613512).
+
+
+### Device lockdown
+
+
+Do you need a computer that can only do one thing? For example:
+
+- A device in the lobby that customers can use to view your product catalog.
+
+- A portable device that drivers can use to check a route on a map.
+
+- A device that a temporary worker uses to enter data.
+
+You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/en-us/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select.
+
+You can also [configure a lockdown state](https://technet.microsoft.com/en-us/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify.
+
+Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/en-us/itpro/windows/manage/windows-10-start-layout-options-and-policies).
+
+### Customized Start layout
+
+A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](../manage/customize-and-export-start-layout.md).
+
+Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](../manage/windows-spotlight.md).
+
+### Windows Store for Business
+**New in Windows 10, version 1511**
+
+With the Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
+
+For more information, see [Windows Store for Business overview](../manage/windows-store-for-business-overview.md).
+
+
+## Updates
+
+Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
+
+By using [Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
+
+- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
+
+- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.
+
+- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=699281).
+
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](http://technet.microsoft.com/library/gg682129.aspx).
+
+
+Learn more about [Windows Update for Business](../plan/windows-update-for-business.md).
+
+For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md).
+
+## Microsoft Edge
+Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
+
+- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
+- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
+- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
+- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
+
+### Enterprise guidance
+Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956).
+
+We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
+
+[Learn more about using Microsoft Edge in the enterprise](https://technet.microsoft.com/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11)
+
+
+## Learn more
+
+- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info)
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
new file mode 100644
index 0000000000..630ae470c8
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -0,0 +1,100 @@
+---
+title: What's new in Windows 10, version 1607 (Windows 10)
+description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile.
+ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6
+keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: TrudyHa
+localizationpriority: high
+---
+
+# What's new in Windows 10, version 1607
+
+Below is a list of some of the new and updated features in Windows 10, version 1607 (also known as the Anniversary Update).
+
+> **Note:** For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info).
+
+## Deployment
+
+### Windows Imaging and Configuration Designer (ICD)
+
+In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in version 1607, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
+
+Windows ICD now includes simplified workflows for creating provisioning packages:
+
+- [Simple provisioning to set up common settings for Active Directory-joined devices](~/deploy/provision-pcs-for-initial-deployment.md)
+- [Advanced provisioning to deploy certificates and apps](~/deploy/provision-pcs-with-apps-and-certificates.md)
+- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/en-us/edu/windows/set-up-students-pcs-to-join-domain)
+
+[Learn more about using provisioning packages in Windows 10.](../deploy/provisioning-packages.md)
+
+## Security
+
+### Credential Guard and Device Guard
+
+Isolated User Mode is now included with Hyper-V so you don't have to install it separately.
+
+### Windows Hello for Business
+
+When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+
+Additional changes for Windows Hello in Windows 10, version 1607:
+
+- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
+- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
+
+
+[Learn more about Windows Hello for Business.](../keep-secure/manage-identity-verification-using-microsoft-passport.md)
+
+### VPN
+
+- The VPN client can integrate with the Conditional Access Framework, a cloud-pased policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
+- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](../keep-secure/protect-enterprise-data-using-edp.md), previously known as Enterprise Data Protection.
+- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
+- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
+
+### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP)
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+
+Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
+
+- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy)
+- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip)
+
+[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip)
+
+### Windows Defender
+Several new features and management options have been added to Windows Defender in Windows 10, version 1607.
+
+- [Windows Defender Offline in Windows 10](../keep-secure/windows-defender-offline.md) can be run directly from within Windows, without having to create bootable media.
+- [Use PowerShell cmdlets for Windows Defender](../keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md) to configure options and run scans.
+- [Enable the Block at First Sight feature in Windows 10](../keep-secure/windows-defender-block-at-first-sight.md) to leverage the Windows Defender cloud for near-instant protection against new malware.
+- [Configure enhanced notifications for Windows Defender in Windows 10](../keep-secure/windows-defender-enhanced-notifications.md) to see more informaiton about threat detections and removal.
+- [Run a Windows Defender scan from the command line](../keep-secure/run-cmd-scan-windows-defender-for-windows-10.md).
+- [Detect and block Potentially Unwanted Applications with Windows Defender](../keep-secure/enable-pua-windows-defender-for-windows-10.md) during download and install times.
+
+## Management
+
+### Use Remote Desktop Connection for PCs joined to Azure Active Directory
+
+From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](../manage/connect-to-remote-aadj-pc.md)
+
+
+### Taskbar configuration
+
+Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](../manage/windows-10-start-layout-options-and-policies.md)
+
+### Mobile device management and configuration service providers (CSPs)
+
+Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for Windows 10, version 1607, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607).
+
+### Shared PC mode
+
+Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](../manage/set-up-shared-or-guest-pc.md)
+
+
+## Learn more
+
+- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info)
diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md
new file mode 100644
index 0000000000..c2f98f8924
--- /dev/null
+++ b/windows/whats-new/windows-10-insider-preview.md
@@ -0,0 +1,27 @@
+---
+title: Documentation for Windows 10 Insider Preview (Windows 10)
+description: Preliminary documentation for some Windows 10 features in Insider Preview.
+ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Documentation for Windows 10 Insider Preview
+
+> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]
+
+This section contains preliminary documentation for some enterprise features in Windows 10 Insider Preview. Information in this section may change frequently.
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/whats-new/windows-spotlight.md b/windows/whats-new/windows-spotlight.md
index d4fb43b2ec..61edb41016 100644
--- a/windows/whats-new/windows-spotlight.md
+++ b/windows/whats-new/windows-spotlight.md
@@ -1,64 +1,16 @@
---
-title: Windows spotlight on the lock screen (Windows 10)
-description: Windows spotlight is an option for the lock screen background that displays different background images on the lock screen.
+title: Windows Spotlight on the lock screen (Windows 10)
+description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen.
ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A
keywords: ["lockscreen"]
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
author: jdeckerMS
+redirect_url: /manage/windows-spotlight
---
-# Windows spotlight on the lock screen
-
-
-**Applies to**
-
-- Windows 10
-
-Windows spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows spotlight is now available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows spotlight background.
-
-## What does Windows spotlight include?
-
-
-- **Background image**
-
- The Windows spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis.
-
- 
-
-- **Feature suggestions, fun facts, tips**
-
- The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
-
-## How do you turn off Windows spotlight?
-
-
-Go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background
-
-
-
-## How do you disable Windows spotlight for managed devices?
-
-
-Windows spotlight is enabled by default. Administrators can replace Windows spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
-
-
-
-Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image.
-
-
-
-## Related topics
-
-
-[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md)
-
-
-
-
-
-
-
+# Windows Spotlight on the lock screen
+This topic has been redirected.
\ No newline at end of file
diff --git a/windows/whats-new/windows-store-for-business-overview.md b/windows/whats-new/windows-store-for-business-overview.md
index e1934201c2..abb7c7f8f3 100644
--- a/windows/whats-new/windows-store-for-business-overview.md
+++ b/windows/whats-new/windows-store-for-business-overview.md
@@ -6,281 +6,6 @@ ms.prod: w10
ms.pagetype: store, mobile
ms.mktglfcycl: manage
ms.sitesec: library
+redirect_url: https://technet.microsoft.com/itpro/windows/manage/windows-store-for-business-overview
author: TrudyHa
---
-
-# Windows Store for Business overview
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
-
-## Features
-
-
-Organizations of any size can benefit from using the Store for Business provides:
-
-- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Businessare available to you, or you can integrate the Store for Businesswith management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
-
-- **Bulk app acquisition** - Acquire apps in volume from the Store for Business.
-
-- **Private store** - Curate a private store for your business that’s easily available from any Windows 10 device.
-
-- **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices:
-
- - Distribute through Store for Business services. You can assign apps to individual employees, or make apps available to all employees in your private store.
-
- - Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
-
- - Offline licensing model allows you to distribute apps without connecting to Store services, and for managing images.
-
-- **Line-of-business apps** - Privately add and distribute your internal line-of-business apps using any of the distribution options.
-
-- **App license management**: Admins can reclaim and reuse app licenses. Online and offline licenses allow you to customize how you decide to deploy apps.
-
-- **Up-to-date apps** - The Store for Business manages the update process for apps with online licenses. Apps are automatically updated so you are always current with the most recent software updates and product features. Store for Business apps also uninstall cleanly, without leaving behind extra files, for times when you need to switch apps for specific employees.
-
-## Prerequisites
-
-
-You'll need this software to work with the Store for Business.
-
-### Required
-
-- IT Pros that are administering Store for Business need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox.
-
-- Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device.
-
-Microsoft Azure Active Directory (AD) accounts for your employees:
-
-- Admins need Azure AD accounts to sign up for the Store for Business, and then to sign in, get apps, distribute apps, and manage app licenses.
-
-- Employees need Azure AD account when they access Store for Business content from Windows devices.
-
-- If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
-
-- For offline-licensed apps, Azure AD accounts are not required for employees.
-
-For more information on Azure AD, see [About Office 365 and Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](http://go.microsoft.com/fwlink/p/?LinkId=708611).
-
-### Optional
-
-While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. A couple of things to note about management tools:
-
-- Need to integrate with Windows 10 management framework and Azure AD.
-
-- Need to sync with the Store for Business inventory to distribute apps.
-
-## How does the Store for Business work?
-
-
-### Sign up!
-
-The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization.
-
-For more information, see [Sign up for the Store for Business](../manage/sign-up-windows-store-for-business.md).
-
-### Set up
-
-After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions.
-
-
-
-
-
-Windows Embedded 8.1 Industry lockdown feature
-Windows 10 feature
-Changes
-
-
-N/A
-
-
-[Unified Writer Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607)
-
-
-[Keyboard Filter](http://go.microsoft.com/fwlink/p/?LinkId=708391)
-
-
-[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=618603)
-
-
-[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)
-
-
-[AppLocker](../keep-secure/applocker-overview.md)
-
-
-
-Mobile device management (MDM) and Group Policy
-
-
-[Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkID=525483)
-
-
-MDM and Group Policy
-
-
-[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)
-
-
-[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)
-
-
-[Embedded Logon](http://go.microsoft.com/fwlink/p/?LinkId=626760)
-
-
-
-[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626873)
-
-
-
-
-
-In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-windows-store-for-business.md).
-
-Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business.
-
-### Get apps and content
-
-Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time.
-
-**App types** -- These app types are supported in the Store for Business:
-
-- Universal Windows Platform apps
-
-- Universal Windows apps, by device: Phone, Surface Hub, IOT devices , HoloLens
-
-Apps purchased from the Store for Business only work on Windows 10 devices.
-
-Line-of-business (LOB) apps are also supported via the Business store. You can invite IT developers or ISVs to be LOB publishers for your organization. This allows them to submit apps via the developer center that are only available to your organization. These apps can be distributed using the distribution methods discussed in this topic. For more information, see Working with Line-of-Business apps.
-
-**App licensing model**
-
-The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
-
-For more information, see [Apps in the Store for Business](../manage/apps-in-windows-store-for-business.md#licensing-model).
-
-### Distribute apps and content
-
-App distribution is handled through two channels, either through the Store for Business, or using a management tool. You can use either or both distribution methods in your organization.
-
-**Using the Store for Business** – Distribution options for the Store for Business:
-
-- Email link – After purchasing an app, admins can send employees a link in an email message. Employees can click the link to install the app.
-
-- Curate private store for all employees – A private store can include content you’ve purchased from the Store, and your line-of-business apps that you’ve submitted to the Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
-
-- To use the options above users must be signed in with an Azure AD account on a Windows 10 device.
-
-**Using a management tool** – For larger organizations that might want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
-
-- Scoped content distribution – Ability to scope content distribution to specific groups of employees.
-
-- Install apps for employees – Employees are not responsible for installing apps. Management tool installs apps for employees.
-
-Management tools can synchronize content that has been acquired in the Store for Business. If an offline application has been purchased this will also include the app package, license and metadata for the app (like, icons, count, or localized product descriptions). Using the metadata, management tools can enable portals or apps as a destination for employees to acquire apps.
-
-For more information, see [Distribute apps to your employees from the Store for Business](../manage/distribute-apps-to-your-employees-windows-store-for-business.md).
-
-### Manage Store for Business settings and content
-
-Once you are signed up with the Business store and have purchased apps, Admins can manage Store for Business settings and inventory.
-
-**Manage Store for Business settings**
-
-- Assign and change roles for employees or groups
-
-- Device Guard signing
-
-- Register a management server to deploy and install content
-
-- Manage relationships with LOB publishers
-
-- Manage offline licenses
-
-- Update the name of your private store
-
-**Manage inventory**
-
-- Assign app licenses to employees
-
-- Reclaim and reassign app licenses
-
-- Manage app updates for all apps, or customize updates for each app. Online apps will automatically update from the Store. Offline apps can be updated using a management server.
-
-- Download apps for offline installs
-
-For more information, see [Manage settings in the Store for Business](../manage/manage-settings-windows-store-for-business.md) and [Manage apps](../manage/manage-apps-windows-store-for-business-overview.md).
-
-## Supported markets
-
-
-Store for Business is currently available in these markets.
-
-|Country or locale|Paid apps|Free apps|
-|-----------------|---------|---------|
-|Argentina|X|X|
-|Australia|X|X|
-|Austria|X|X|
-|Belgium (Dutch, French)|X|X|
-|Brazil| |X|
-|Canada (English, French)|X|X|
-|Chile|X|X|
-|Columbia|X|X|
-|Croatia|X|X|
-|Czech Republic|X|X|
-|Denmark|X|X|
-|Finland|X|X|
-|France|X|X|
-|Germany|X|X|
-|Greece|X|X|
-|Hong Kong SAR|X|X|
-|Hungary|X|X|
-|India| |X|
-|Indonesia|X|X|
-|Ireland|X|X|
-|Italy|X|X|
-|Japan|X|X|
-|Malaysia|X|X|
-|Mexico|X|X|
-|Netherlands|X|X|
-|New Zealand|X|X|
-|Norway|X|X|
-|Philippines|X|X|
-|Poland|X|X|
-|Portugal|X|X|
-|Romania|X|X|
-|Russia| |X|
-|Singapore|X|X|
-|Slovakia|X|X|
-|South Africa|X|X|
-|Spain|X|X|
-|Sweden|X|X|
-|Switzerland (French, German)|X|X|
-|Taiwan| |X|
-|Thailand|X|X|
-|Turkey|X|X|
-|Ukraine| |X|
-|United Kingdom|X|X|
-|United States|X|X|
-|Vietnam|X|X|
-
-## ISVs and the Store for Business
-
-
-Developers in your organization, or ISVs can create content specific to your organization. In the Store for Business, we call these app line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this:
-
-- Admin invites devs to be LOB publishers for your organization. These devs can be internal devs, or external ISVs.
-
-- LOB publishers accept the invitation, develop apps, and submits the app to the Windows Dev Center. LOB publishers use Enterprise associations when submitting the app to make the app exclusive to your organization.
-
-- Admin adds the app to Store for Business inventory.
-
-Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in the Store for Business. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in the Store for Business will work only on Windows 10.
-
-For more information on line-of-business apps, see [Working with Line-of-Business apps](../manage/working-with-line-of-business-apps.md).
-
-
-
-
-
-
-
-
-
diff --git a/windows/whats-new/windows-update-for-business.md b/windows/whats-new/windows-update-for-business.md
index 24ae371549..524ca03a0a 100644
--- a/windows/whats-new/windows-update-for-business.md
+++ b/windows/whats-new/windows-update-for-business.md
@@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
author: TrudyHa
+redirect_url: /whats-new/whats-new-windows-10-version-1507-and-1511
---
# What's new in Windows Update for Business?
-
-
-
-Permission
-Account settings
-Acquire apps
-Distribute apps
-Device Guard signing
-
-
-
-
-
-
-
-
-
-
-
-
-
-