After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.
Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../group-policies/developer-settings-gp.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. |
-
----
-
-
-
-### ADMX info and settings
-#### ADMX info
-- **GP English name:** Prevent turning off required extensions
-- **GP name:** PreventTurningOffRequiredExtensions
-- **GP path:** Windows Components/Microsoft Edge
-- **GP ADMX file name:** MicrosoftEdge.admx
-
-#### MDM settings
-- **MDM name:** [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)
-- **Supported devices:** Desktop
-- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions
-- **Data type:** String
-
-#### Registry settings
-- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions
-- **Value name:** PreventTurningOffRequiredExtensions
-- **Value type:** REG_SZ
-
-### Related policies
-[Allow Developer Tools](../available-policies.md#allow-developer-tools): [!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)]
-
-
-### Related topics
-
-- [Find a package family name (PFN) for per-app VPN](https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN.
-- [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal.
-- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/intune/apps-deploy): Apps can be assigned to devices whether or not Intune manages them.
-- [Manage apps from the Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune.
-- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. Typically, these types of apps are written in-house.
-
-
+---
+author: eavena
+ms.author: eravena
+ms.date: 10/02/2018
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Disabled or not configured (Allowed)*
+
+[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../shortdesc/prevent-turning-off-required-extensions-shortdesc.md)]
+
+### Supported values
+
+| Group Policy | Description |
+|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Disabled or not configured **(default)** | Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. |
+| Enabled | Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office extension prevents users from turning it off:
After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.
Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../group-policies/developer-settings-gp.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. |
+
+---
+
+
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Prevent turning off required extensions
+- **GP name:** PreventTurningOffRequiredExtensions
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions
+- **Data type:** String
+
+#### Registry settings
+- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions
+- **Value name:** PreventTurningOffRequiredExtensions
+- **Value type:** REG_SZ
+
+### Related policies
+[Allow Developer Tools](../available-policies.md#allow-developer-tools): [!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)]
+
+
+### Related topics
+
+- [Find a package family name (PFN) for per-app VPN](https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN.
+- [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal.
+- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/intune/apps-deploy): Apps can be assigned to devices whether or not Intune manages them.
+- [Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune.
+- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. Typically, these types of apps are written in-house.
+
+
diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
index c336f03247..c4141688d8 100644
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@@ -1,6 +1,6 @@
---
-title: Deploy Microsoft Edge kiosk mode
-description: Microsoft Edge kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access.
+title: Deploy Microsoft Edge Legacy kiosk mode
+description: Microsoft Edge Legacy kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge Legacy kiosk mode, you must configure Microsoft Edge Legacy as an application in assigned access.
ms.assetid:
ms.reviewer:
audience: itpro
@@ -11,20 +11,24 @@ ms.prod: edge
ms.sitesec: library
ms.topic: article
ms.localizationpriority: medium
-ms.date: 10/29/2018
+ms.date: 01/17/2020
---
-# Deploy Microsoft Edge kiosk mode
+# Deploy Microsoft Edge Legacy kiosk mode
->Applies to: Microsoft Edge on Windows 10, version 1809
+>Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later
>Professional, Enterprise, and Education
> [!NOTE]
-> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
+> You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-kiosk-mode).
-In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge in kiosk mode.
+In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge Legacy as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge Legacy in kiosk mode.
-In this topic, you learn how to configure the behavior of Microsoft Edge when it's running in kiosk mode with assigned access. You also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or other MDM service.
+In this topic, you'll learn:
+
+- How to configure the behavior of Microsoft Edge Legacy when it's running in kiosk mode with assigned access.
+- What's required to run Microsoft Edge Legacy kiosk mode on your kiosk devices.
+- You'll also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or an other MDM service.
At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support.
@@ -33,7 +37,7 @@ At the end of this topic, you can find a list of [supported policies](#supported
>**Policy** = Configure kiosk mode (ConfigureKioskMode)
-Microsoft Edge kiosk mode supports four configurations types that depend on how Microsoft Edge is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario.
+Microsoft Edge Legacy kiosk mode supports four configurations types that depend on how Microsoft Edge Legacy is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario.
- Learn about [creating a kiosk experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image)
@@ -44,15 +48,17 @@ Microsoft Edge kiosk mode supports four configurations types that depend on how
- Learn about configuring a more secure kiosk experience: [Other settings to lock down](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down).
-### Important things to remember before getting started
+### Important things to note before getting started
-- The public browsing kiosk types run Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for public kiosks.
+- There are [required steps to follow](#setup- required-for-microsoft-edge-legacy-kiosk-mode) in order to use the following Microsoft Edge Legacy kiosk mode types either alongside the new version of Microsoft Edge or prevent the new version of Microsoft Edge from being installed on your kiosk device.
-- Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own.
+- The public browsing kiosk types run Microsoft Edge Legacy InPrivate mode to protect user data with a browsing experience designed for public kiosks.
+
+- Microsoft Edge Legacy kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge Legacy resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own.
- Optionally, you can define a single URL for the Home button, Start page, and New Tab page. See [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode) to learn more.
-- No matter which configuration type you choose, you must set up Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy (Configure kiosk mode/ConfigureKioskMode).
Learn more about assigned access:
+- No matter which configuration type you choose, you must set up Microsoft Edge Legacy in assigned access; otherwise, Microsoft Edge Legacy ignores the settings in this policy (Configure kiosk mode/ConfigureKioskMode).
Learn more about assigned access:
- [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw).
@@ -65,46 +71,58 @@ Microsoft Edge kiosk mode supports four configurations types that depend on how
[!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)]
-## Set up Microsoft Edge kiosk mode
+## Set up Microsoft Edge Legacy kiosk mode
-Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge kiosk mode:
+Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge Legacy kiosk mode:
- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service.
-- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode).
+- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge Legacy kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode).
### Prerequisites
-- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education).
+- Microsoft Edge Legacy on Windows 10, version 1809 (Professional, Enterprise, and Education).
+
+- See [Setup required for Microsoft Edge Legacy kiosk mode](#setup-required-for-microsoft-edge-legacy-kiosk-mode).
- URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page.
-- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge:
+- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge Legacy:
```
Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
```
+### Setup required for Microsoft Edge Legacy kiosk mode
+
+When the new version of Microsoft Edge Stable channel is installed, Microsoft Edge Legacy is hidden and all attempts to launch Microsoft Edge Legacy are redirected to the new version of Microsoft Edge.
+
+To continue using Microsoft Edge Legacy kiosk mode on your kiosk devices take one of the following actions:
+
+- If you plan to install Microsoft Edge Stable channel, want to allow it to be installed, or it is already installed on your kiosk device set the Microsoft Edge [Allow Microsoft Edge Side by Side browser experience](https://docs.microsoft.com/DeployEdge/microsoft-edge-update-policies#allowsxs) policy to **Enabled**.
+- To prevent Microsoft Edge Stable channel from being installed on your kiosk devices deploy the Microsoft Edge [Allow installation default](https://docs.microsoft.com/DeployEdge/microsoft-edge-update-policies#installdefault) policy for Stable channel or consider using the [Blocker toolkit](https://docs.microsoft.com/DeployEdge/microsoft-edge-blocker-toolkit) to disable automatic delivery of Microsoft Edge.
+
+> [!NOTE]
+> For more information about accessing Microsoft Edge Legacy after installing Microsoft Edge, see [How to access the old version of Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-sysupdate-access-old-edge).
### Use Windows Settings
Windows Settings is the simplest and the only way to set up one or a couple of single-app devices.
-
1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**.
2. On the **Set up a kiosk** page, click **Get started**.
3. Type a name to create a new kiosk account, or choose an existing account from the populated list and click **Next**.
-4. On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**.
+4. On the **Choose a kiosk app** page, select **Microsoft Edge Legacy** and then click **Next**.
-5. Select how Microsoft Edge displays when running in kiosk mode:
+5. Select how Microsoft Edge Legacy displays when running in kiosk mode:
- - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.
+ - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge Legacy InPrivate protecting user data.
- - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge, protecting user data.
+ - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge Legacy, protecting user data.
6. Select **Next**.
@@ -124,42 +142,42 @@ Windows Settings is the simplest and the only way to set up one or a couple of s
- User your new kiosk device.
OR
-- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**.
+- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge Legacy**.
---
### Use Microsoft Intune or other MDM service
-With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add).
+With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge Legacy kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add).
>[!IMPORTANT]
>If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device.
1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps.
-2. Configure the following MDM settings to setup Microsoft Edge kiosk mode on the kiosk device and then restart the device.
+2. Configure the following MDM settings to setup Microsoft Edge Legacy kiosk mode on the kiosk device and then restart the device.
| | |
|---|---|
- | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**
 | Configure the display mode for Microsoft Edge as a kiosk app.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
**Data type:** Integer
**Allowed values:**
**Single-app kiosk experience**
**0** - Digital signage and interactive display
**1** - InPrivate Public browsing
**Multi-app kiosk experience**
**0** - Normal Microsoft Edge running in assigned access
 | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets the user's session.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
**Data type:** Integer
**Allowed values:**
**0** - No idle timer
**1-1440 (5 minutes is the default)** - Set reset on idle timer
 | Set one or more start pages, URLs, to load when Microsoft Edge launches.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages
**Data type:** String
**Allowed values:**
Enter one or more URLs, for example, \\ |
+ | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**
 | Configure the display mode for Microsoft Edge Legacy as a kiosk app.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
**Data type:** Integer
**Allowed values:**
**Single-app kiosk experience**
**0** - Digital signage and interactive display
**1** - InPrivate Public browsing
**Multi-app kiosk experience**
**0** - Normal Microsoft Edge Legacy running in assigned access
 | Change the time in minutes from the last user activity before Microsoft Edge Legacy kiosk mode resets the user's session.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
**Data type:** Integer
**Allowed values:**
**0** - No idle timer
**1-1440 (5 minutes is the default)** - Set reset on idle timer
 | Set one or more start pages, URLs, to load when Microsoft Edge Legacy launches.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages
**Data type:** String
**Allowed values:**
Enter one or more URLs, for example, \\ |
| **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**
 | Configure how the Home Button behaves.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton
**Data type:** Integer
**Allowed values:**
**0 (default)** - Not configured. Show home button, and load the default Start page.
**1** - Enabled. Show home button and load New Tab page
**2** - Enabled. Show home button & set a specific page.
 | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com |
| **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**
 | Set a custom URL for the New Tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com |
-**_Congratulations!_**
You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service.
+**_Congratulations!_**
You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge Legacy kiosk mode using Microsoft Intune or other MDM service.
-**_What's next?_**
Now it's time to use your new kiosk device. Sign into the device with the kiosk account selected to run Microsoft Edge kiosk mode.
+**_What's next?_**
Now it's time to use your new kiosk device. Sign into the device with the kiosk account selected to run Microsoft Edge Legacy kiosk mode.
---
## Supported policies for kiosk mode
-Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
+Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
Make sure to check with your provider for instructions.
@@ -236,10 +254,11 @@ Make sure to check with your provider for instructions.
---
## Feature comparison of kiosk mode and kiosk browser app
-In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access.
+
+In the following table, we show you the features available in both Microsoft Edge Legacy kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access.
-| **Feature** | **Microsoft Edge kiosk mode** | **Microsoft Kiosk browser app** |
+| **Feature** | **Microsoft Edge Legacy kiosk mode** | **Microsoft Kiosk browser app** |
|-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:|
| Print support |  |  |
| Multi-tab support |  |  |
@@ -261,9 +280,6 @@ To prevent access to unwanted websites on your kiosk device, use Windows Defende
## Provide feedback or get support
-To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
+To provide feedback on Microsoft Edge Legacy kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
-
-
-
diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
index 64c7c36696..4fc4fb1ecc 100644
--- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
@@ -48,7 +48,7 @@ Before you start, you need to make sure you have the following:
- IETelemetry.mof file
- - Sample System Center 2012 report templates
+ - Sample Configuration Manager report templates
You must use System Center 2012 R2 Configuration Manager or later for these samples to work.
diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md
index c2812cb730..28a0957588 100644
--- a/browsers/internet-explorer/TOC.md
+++ b/browsers/internet-explorer/TOC.md
@@ -186,3 +186,6 @@
### [IExpress Wizard command-line options](ie11-ieak/iexpress-command-line-options.md)
### [Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md)
+## KB Troubleshoot
+### [Clear the Internet Explorer cache from a command line](kb-support/clear-ie-cache-from-command-line.md)
+### [Internet Explorer and Microsoft Edge FAQ for IT Pros](kb-support/ie-edge-faqs.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 81e964a54b..09160baadd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -163,27 +163,58 @@ This table includes the attributes used by the Enterprise Mode schema.
exclude
-
Specifies the domain or path is excluded from applying Enterprise Mode. This attribute is only supported on the <domain> and <path> elements in the <emie> section.
-
Example
+
Specifies the domain or path excluded from applying Enterprise Mode. This attribute is only supported on the <domain> and <path> elements in the <emie> section. If this attribute is absent, it defaults to false.
+
+
Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
+
+
Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false.
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
index b4149169e2..0b1edff4cd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
@@ -56,7 +56,7 @@ If you use Automatic Updates in your company, but want to stop your users from a
>The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md).
- **Use an update management solution to control update deployment.**
- If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit.
+ If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit.
>[!Note]
>If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202).
@@ -65,7 +65,7 @@ Additional information on Internet Explorer 11, including a Readiness Toolkit, t
## Availability of Internet Explorer 11
-Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the System Center Configuration Manager, Microsoft Systems Management Server, and WSUS.
+Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Configuration Manager and WSUS.
## Prevent automatic installation of Internet Explorer 11 with WSUS
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index bf70df22fd..65e099eb37 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -46,7 +46,7 @@ Internet Explorer 11 gives you some new Group Policy settings to help you manage
| Turn off the ability to launch report site problems using a menu option | Administrative Templates\Windows Components\Internet Explorer\Browser menus | Internet Explorer 11 | This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.
If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.
If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. |
| Turn off the flip ahead with page prediction feature | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 on Windows 8 | This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.
If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.
**Note** Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
| Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.
**Important** When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
-| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
**Note:** Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as Microsoft Endpoint Configuration Manager.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
**Note:** Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
| Turn on Site Discovery XML output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.
**Note:** Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
| Use the Enterprise Mode IE website list | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1511 | This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.
If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.
If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. |
diff --git a/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md b/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md
new file mode 100644
index 0000000000..0031c6792e
--- /dev/null
+++ b/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md
@@ -0,0 +1,137 @@
+---
+title: Clear the Internet Explorer cache from a command line
+description: Introduces command-line commands and a sample batch file for clearing the IE cache.
+audience: ITPro
+manager: msmets
+author: ramakoni1
+ms.author: ramakoni
+ms.reviewer: ramakoni, DEV_Triage
+ms.prod: internet-explorer
+ms.technology:
+ms.topic: kb-support
+ms.custom: CI=111020
+ms.localizationpriority: Normal
+# localization_priority: medium
+# ms.translationtype: MT
+ms.date: 01/23/2020
+---
+# How to clear Internet Explorer cache by using the command line
+
+This article outlines the procedure to clear the Internet Explorer cache by using the command line.
+
+## Command line commands to clear browser cache
+
+1. Delete history from the Low folder
+ `del /s /q C:\Users\\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah`
+
+2. Delete history
+ `RunDll32.exe InetCpl.cpl, ClearMyTracksByProcess 1`
+
+3. Delete cookies
+ `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2`
+
+4. Delete temporary internet files
+ `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8`
+
+5. Delete form data
+ `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16`
+
+6. Delete stored passwords
+ `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32`
+
+7. Delete all
+ `RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255`
+
+8. Delete files and settings stored by add-ons
+ `InetCpl.cpl,ClearMyTracksByProcess 4351`
+
+If you upgraded from a previous version of Internet Explorer, you have to use the following commands to delete the files from older versions:
+`RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9`
+
+Command to reset Internet Explorer settings:
+`Rundll32.exe inetcpl.cpl ResetIEtoDefaults`
+
+## Sample batch file to clear Internet Explorer cache files
+
+A sample batch file is available that you can use to clear Internet Explorer cache files and other items. You can download the file from [https://msdnshared.blob.core.windows.net/media/2017/09/ClearIE_Cache.zip](https://msdnshared.blob.core.windows.net/media/2017/09/ClearIE_Cache.zip).
+
+The batch file offers the following options:
+
+- Delete Non-trusted web History (low-level hidden cleanup)
+- Delete History
+- Delete Cookies
+- Delete Temporary Internet Files
+- Delete Form Data
+- Delete Stored Passwords
+- Delete All
+- Delete All "Also delete files and settings stored by add-ons"
+- Delete IE10 and IE9 Temporary Internet Files
+- Resets IE Settings
+- EXIT
+
+**Contents of the batch file**
+
+```console
+@echo off
+:: AxelR Test Batch
+:: tested on Windows 8 + IE10, Windows7 + IE9
+
+:home
+cls
+COLOR 00
+echo Delete IE History
+echo Please select the task you wish to run.
+echo Pick one:
+echo.
+echo 1. Delete Non-trusted web History(low level hidden clean up)
+echo 2. Delete History
+echo 3. Delete Cookies
+echo 4. Delete Temporary Internet Files
+echo 5. Delete Form Data
+echo 6. Delete Stored Passwords
+echo 7. Delete All
+echo 8. Delete All "Also delete files and settings stored by add-ons"
+echo 9. Delete IE10 and 9 Temporary Internet Files
+echo 10. Reset IE Settings
+echo 77. EXIT
+:choice
+Echo Hit a number [1-10] and press enter.
+set /P CH=[1-10]
+
+if "%CH%"=="1" set x=del /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah
+if "%CH%"=="2" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
+if "%CH%"=="3" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
+if "%CH%"=="4" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
+if "%CH%"=="5" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16
+if "%CH%"=="6" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32
+if "%CH%"=="7" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
+if "%CH%"=="8" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351
+if "%CH%"=="9" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9
+if "%CH%"=="10" set x=rundll32.exe inetcpl.cpl ResetIEtoDefaults
+if "%CH%"=="77" goto quit
+
+%x%
+
+goto Home
+
+::Temporary Internet Files > Delete files - To delete copies of web pages, images, and media
+::that are saved for faster viewing.
+::Cookies > Delete cookies - To delete cookies, which are files that are stored on your computer by
+::websites to save preferences such as login information.
+::History > Delete history - To delete the history of the websites you have visited.
+::Form data > Delete forms - To delete all the saved information that you have typed into
+::forms.
+::Passwords > Delete passwords - To delete all the passwords that are automatically filled in
+::when you log on to a website that you've previously visited.
+::Delete all - To delete all of these listed items in one operation.
+
+::enter below in search/run to see Low history dir if exists
+::C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low
+
+::Delete all low (untrusted history) very hidden
+::this will clean any unlocked files under the dir and not delete the dir structure
+::del /s /q low\* /ah ::del /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah
+
+goto Home
+:quit
+```
diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md
new file mode 100644
index 0000000000..ef07a2a337
--- /dev/null
+++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.md
@@ -0,0 +1,222 @@
+---
+title: IE and Microsoft Edge FAQ for IT Pros
+description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals.
+audience: ITPro
+manager: msmets
+author: ramakoni1
+ms.author: ramakoni
+ms.reviewer: ramakoni, DEV_Triage
+ms.prod: internet-explorer
+ms.technology:
+ms.topic: kb-support
+ms.custom: CI=111020
+ms.localizationpriority: Normal
+# localization_priority: medium
+# ms.translationtype: MT
+ms.date: 01/23/2020
+---
+# Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros
+
+## Cookie-related questions
+
+### What is a cookie?
+
+An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol.
+
+### How does Internet Explorer handle cookies?
+
+For more information about how Internet Explorer handles cookies, see the following articles:
+
+- [Beware Cookie Sharing in Cross-Zone Scenarios](https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/)
+- [A Quick Look at P3P](https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/)
+- [Internet Explorer Cookie Internals FAQ](https://blogs.msdn.microsoft.com/ieinternals/2009/08/20/internet-explorer-cookie-internals-faq/)
+- [Privacy Beyond Blocking Cookies](https://blogs.msdn.microsoft.com/ie/2008/08/25/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content/)
+- [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies)
+
+### Where does Internet Explorer store cookies?
+
+To see where Internet Explorer stores its cookies, follow these steps:
+
+1. Start File Explorer.
+2. Select **Views** \> **Change folder and search options**.
+3. In the **Folder Options** dialog box, select **View**.
+4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**.
+5. Clear **Hide protected operation system files (Recommended)**.
+6. Select **Apply**.
+7. Select **OK**.
+
+The following are the folder locations where the cookies are stored:
+
+**In Windows 10**
+C:\Users\username\AppData\Local\Microsoft\Windows\INetCache
+
+**In Windows 8 and Windows 8.1**
+C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies
+
+**In Windows 7**
+C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies
+C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low
+
+### What is the per-domain cookie limit?
+
+Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie.
+
+There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value.
+
+The JavaScript limitation was updated to 10 KB from 4 KB.
+
+For more information, see [Internet Explorer Cookie Internals (FAQ)](https://blogs.msdn.microsoft.com/ieinternals/2009/08/20/internet-explorer-cookie-internals-faq/).
+
+#### Additional information about cookie limits
+
+**What does the Cookie RFC allow?**
+RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following:
+
+- At least 300 cookies total
+- At least 20 cookies per unique host or domain name
+
+For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer.
+
+### Cookie size limit per domain
+
+Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies.
+
+## Proxy Auto Configuration (PAC)-related questions
+
+### Is an example Proxy Auto Configuration (PAC) file available?
+
+Here is a simple PAC file:
+
+```vb
+function FindProxyForURL(url, host)
+{
+ return "PROXY proxyserver:portnumber";
+}
+```
+
+> [!NOTE]
+> The previous PAC always returns the **proxyserver:portnumber** proxy.
+
+For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/).
+
+**Third-party information disclaimer**
+The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
+
+### How to improve performance by using PAC scripts
+
+- [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr)
+- [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/)
+
+## Other questions
+
+### How to set home and start pages in Microsoft Edge and allow user editing
+
+For more information, see the following blog article:
+
+[How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/)
+
+### How to add sites to the Enterprise Mode (EMIE) site list
+
+For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool).
+
+### What is Content Security Policy (CSP)?
+
+By using [Content Security Policy](https://docs.microsoft.com/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites.
+
+Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly.
+
+CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run.
+
+For more information, see the following articles:
+
+- [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/)
+- [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy)
+
+### Where to find Internet Explorer security zones registry entries
+
+Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users).
+
+This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11.
+
+The default Zone Keys are stored in the following locations:
+
+- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
+- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
+
+### Why don't HTML5 videos play in Internet Explorer 11?
+
+To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**.
+
+- 0 (the default value): Allow
+- 3: Disallow
+
+This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone.
+
+For more information, see [Unable to play HTML5 Videos in IE](https://blogs.msdn.microsoft.com/askie/2014/12/31/unable-to-play-html5-videos-in-ie/).
+
+For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions).
+
+For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running)
+
+### What is the Enterprise Mode Site List Portal?
+
+This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
+
+### What is Enterprise Mode Feature?
+
+For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode).
+
+### Where can I obtain a list of HTTP Status codes?
+
+For information about this list, see [HTTP Status Codes](https://docs.microsoft.com/windows/win32/winhttp/http-status-codes).
+
+### What is end of support for Internet Explorer 11?
+
+Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed.
+
+For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer).
+
+### How to configure TLS (SSL) for Internet Explorer
+
+For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380).
+
+### What is Site to Zone?
+
+Site to Zone usually refers to one of the following:
+
+**Site to Zone Assignment List**
+This is a Group Policy policy setting that can be used to add sites to the various security zones.
+
+The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones:
+
+- Intranet zone
+- Trusted Sites zone
+- Internet zone
+- Restricted Sites zone
+
+If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site.
+
+**Site to Zone Mapping**
+Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list:
+
+- HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
+- HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
+
+**Site to Zone Assignment List policy**
+This policy setting is available for both Computer Configuration and User Configuration:
+
+- Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
+- User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
+
+**References**
+[How to configure Internet Explorer security zone sites using group polices](https://blogs.msdn.microsoft.com/askie/2012/06/05/how-to-configure-internet-explorer-security-zone-sites-using-group-polices/)
+
+### What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer?
+
+For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](https://docs.microsoft.com/previous-versions/cc304129(v=vs.85)).
+
+### What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting?
+
+The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server.
+
+For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](https://blogs.msdn.microsoft.com/jpsanders/2009/06/29/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer/).
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index d9ff00d3a8..d1c0ab596f 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -16,9 +16,11 @@
## [Install localized version of HoloLens (1st gen)](hololens1-install-localized.md)
## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md)
-# HoloLens in commercial environments
-## [Commercial feature overview](hololens-commercial-features.md)
+# Deploying HoloLens and Mixed Reality Apps in Commercial Environments
## [Deployment planning](hololens-requirements.md)
+## [Commercial feature overview](hololens-commercial-features.md)
+## [Lincense Requriements](hololens-licenses-requirements.md)
+## [Commercial Infrastructure Guidance](hololens-commercial-infrastructure.md)
## [Unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md)
## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
diff --git a/devices/hololens/hololens-commercial-infrastructure.md b/devices/hololens/hololens-commercial-infrastructure.md
new file mode 100644
index 0000000000..ad23e185ee
--- /dev/null
+++ b/devices/hololens/hololens-commercial-infrastructure.md
@@ -0,0 +1,113 @@
+---
+title: Infrastructure Guidelines for HoloLens
+description:
+ms.prod: hololens
+ms.sitesec: library
+author: pawinfie
+ms.author: pawinfie
+audience: ITPro
+ms.topic: article
+ms.localizationpriority: high
+ms.date: 1/23/2020
+ms.reviewer:
+manager: bradke
+appliesto:
+- HoloLens (1st gen)
+- HoloLens 2
+---
+
+# Configure Your Network
+
+This portion of the document will require the following people:
+1. Network Admin with permissions to make changes to the proxy/firewall
+2. Azure Active Directory Admin
+3. Mobile Device Manager Admin
+4. Teams admin for Remote Assist only
+
+## Infrastructure Requirements
+
+### HoloLens Specific Network Requirements
+Make sure that these ports and URLs are allowed on your network firewall. This will enable HoloLens to function properly. The latest list can be found [here](hololens-offline.md).
+
+### Remote Assist Specific Network Requirements
+
+1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network).
+**Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer.**
+1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams).
+
+### Guides Specific Network Requirements
+Guides only require network access to download and use the app.
+
+## Azure Active Directory Guidance
+This step is only necessary if your company plans on managing the HoloLens and mixed reality apps.
+
+### 1. Ensure that you have an Azure AD License.
+Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md)for additional information.
+
+### 2. Ensure that your company’s users are in Azure Active Directory (Azure AD).
+Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory).
+
+### 3. We suggest that users who will be need similar licenses are added to a group.
+1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal)
+
+2. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal)
+
+### 4. Ensure that your company’s users (or group of users) are assigned the necessary licenses.
+Directions for assigning licenses can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/license-users-groups).
+
+### 5. **IMPORTANT:** Only do this step if users are expected to enroll their HoloLens/Mobile device onto the network.
+These steps ensure that your company’s users (or a group of users) can add devices.
+1. Option 1: Give all users permission to join devices to Azure AD.
+**Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** >
+**Set Users may join devices to Azure AD to *All***
+
+1. Option 2: Give selected users/groups permission to join devices to Azure AD
+**Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** >
+**Set Users may join devices to Azure AD to *Selected***
+
+
+1. Option 3: You can block all users from joining their devices to the domain. This means that all devices will need to be manually enrolled by your IT department.
+
+## Mobile Device Manager Admin Steps
+
+### Scenario 1: Kiosk Mode
+As a note, auto-launching an app does not currently work for HoloLens.
+
+How to Set Up Kiosk Mode Using Microsoft Intune.
+#### 1. Sync Microsoft Store to Intune ([Here](https://docs.microsoft.com/intune/apps/windows-store-for-business))
+
+#### 2. Check your app settings
+
+1. Log into your Microsoft Store Business account
+1. **Manage** > **Products and Services** > **Apps and Software** > **Select the app you want to sync** > **Private Store Availability** > **Select “Everyone” or “Specific Groups”**
+1. If you do not see your apps in **Intune** > **Client Apps** > **Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again.
+
+#### 3. Configuring Kiosk Mode using MDM
+
+Information on configuring Kiosk Mode in Intune can be found [here](https://docs.microsoft.com/hololens/hololens-kiosk#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)
+
+ >[!NOTE]
+ >You can configure different users to have different Kiosk Mode experiences by using “Azure AD” as the “User logon type”. However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps.
+
+
+
+If you are configuring Kiosk Mode on an MDM other than Intune, please check your MDM provider's documentation.
+
+## Additional Intune Quick Links
+
+1. [Create Profiles:](https://docs.microsoft.com/intune/configuration/device-profile-create) Profiles allow you to add and configure settings that will be pushed to the devices in your organization.
+
+1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. Some CSPs are supported by HoloLens devices. (See the list of CSPs for HoloLens [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices).
+
+1. [Create Compliance Policy](https://docs.microsoft.com/intune/protect/create-compliance-policy)
+
+1. Conditional Access allows/denies mobile devices and mobile applications from accessing company resources. Two documents you may find helpful are [Plan your CA Deployment](https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access) and [Best Practices](https://docs.microsoft.com/azure/active-directory/conditional-access/best-practices).
+
+## Certificates and Authentication
+### MDM Certificate Distribution
+If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certs for HoloLens Authentication, PFX or SCEP may be right for you.
+
+Steps for SCEP can be found [here](https://docs.microsoft.com/intune/protect/certificates-profile-scep).
+
+### Device Certificates
+Certificates can also be added to the HoloLens through package provisioning. Please see [HoloLens Provisioning](hololens-provisioning.md) for additional information.
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index 1ca366ecf5..d0dbb126b7 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -20,7 +20,7 @@ In Windows 10, version 1803, you can configure your HoloLens devices to run as m
When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
-Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings.
+Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the [start gestures](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) (including [Bloom](https://docs.microsoft.com/hololens/hololens1-basic-usage) on HoloLens (1st Gen)) and Cortana are disabled, and placed apps aren't shown in the user's surroundings.
The following table lists the device capabilities in the different kiosk modes.
diff --git a/devices/hololens/hololens-licenses-requirements.md b/devices/hololens/hololens-licenses-requirements.md
new file mode 100644
index 0000000000..6d33228879
--- /dev/null
+++ b/devices/hololens/hololens-licenses-requirements.md
@@ -0,0 +1,50 @@
+---
+title: Licenses for Mixed Reality Deployment
+description:
+ms.prod: hololens
+ms.sitesec: library
+author: pawinfie
+ms.author: pawinfie
+audience: ITPro
+ms.topic: article
+ms.localizationpriority: high
+ms.date: 1/23/2020
+ms.reviewer:
+manager: bradke
+appliesto:
+- HoloLens (1st gen)
+- HoloLens 2
+---
+
+# Licenses Required for Mixed Reality Deployment
+
+If you plan on using a Mobile Device Management system (MDM) to manage your HoloLens, please review the MDM License Guidance section.
+
+## Mobile Device Management (MDM) Licenses Guidance
+
+If you plan on using an MDM other than Intune, an [Azure Active Directory Licenses](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) is required.
+
+If you plan on using Intune as your MDM, you can acquire an [Enterprise Mobility + Security (EMS) suite (E3 or E5) licenses](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing). **Please note that Azure AD is included in both suites.**
+
+## Identify the licenses needed for your scenario and products
+
+### Remote Assist License Requirements
+Make sure you have the required licensing and device. Updated licensing and product requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/requirements).
+
+1. [Remote Assist License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
+1. [Teams Freemium/Teams](https://products.office.com/microsoft-teams/free)
+1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
+
+### Guides License Requirements
+Updated licensing and device requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/guides/requirements).
+
+1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
+1. [Power BI](https://powerbi.microsoft.com/desktop/)
+1. [Guides](https://docs.microsoft.com/dynamics365/mixed-reality/guides/setup)
+
+### Scenario 1: Kiosk Mode
+If you are not planning to use an MDM to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages.
+
+1. If you are **not** planning to use an MDM to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages.
+1. If you are planning to use an MDM other than Intune, your MDM provider will have steps on configuring Kiosk mode.
+1. If you are planning to use **Intune** as your MDM, implementation directions can be found in [Configuring your Network for HoloLens]().
diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md
index 6ee4fb35c1..e3b11960b1 100644
--- a/devices/hololens/hololens-offline.md
+++ b/devices/hololens/hololens-offline.md
@@ -1,5 +1,5 @@
---
-title: Use HoloLens offline
+title: Manage connection endpoints for HoloLens
description: To set up HoloLens, you'll need to connect to a Wi-Fi network
keywords: hololens, offline, OOBE
audience: ITPro
@@ -17,13 +17,13 @@ appliesto:
- HoloLens 2
---
-# Use HoloLens offline
+# Manage connection endpoints for HoloLens
-HoloLens support a limited set of offline experiences for connectivity conscious customers and for customers who have environmental limits on connectivity.
+Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuratiion (e.g. proxy or firewall) for those components to be functional.
## Near-offline setup
-HoloLens need a network connection to go through initial device set up. If your corporate network has network restrictions, the following URLs will need to be available:
+HoloLens supports a limited set of offline experiences for customers who have network environment restrictions. However, HoloLens needs network connection to go through initial device set up and the following URLs have to be enabled:
| Purpose | URL |
|------|------|
@@ -35,9 +35,125 @@ HoloLens need a network connection to go through initial device set up. If your
| MSA | https://login.live.com/ppsecure/inlineconnect.srf?id=80600 |
| MSA Pin | https://account.live.com/msangc?fl=enroll |
-Additional references:
+## Endpoint configuration
+
+In addition to the list above, to take full advantage of HoloLens functionality, the following endpoints need to be enabled in your network configuration.
+
+
+| Purpose | URL |
+|------|------|
+| Azure | wd-prod-fe.cloudapp.azure.com | | |
+| | ris-prod-atm.trafficmanager.net | | | |
+| | validation-v2.sls.trafficmanager.net | | | |
+| Azure AD Multi-Factor Authentication | https://secure.aadcdn.microsoftonline-p.com | | | |
+| Intune and MDM Configurations | activation-v2.sls.microsoft.com/* | | | |
+| | cdn.onenote.net | | | |
+| | client.wns.windows.com | | | |
+| | crl.microsoft.com/pki/crl/* | | | |
+| | ctldl.windowsupdate.com | | | |
+| | *displaycatalog.mp.microsoft.com | | | |
+| | dm3p.wns.windows.com | | | |
+| | *microsoft.com/pkiops/* | | | |
+| | ocsp.digicert.com/* | | | |
+| | r.manage.microsoft.com | | | |
+| | tile-service.weather.microsoft.com | | | |
+| | settings-win.data.microsoft.com | | | |
+| Certificates | activation-v2.sls.microsoft.com/* | | | |
+| | crl.microsoft.com/pki/crl/* | | | |
+| | ocsp.digicert.com/* | | | |
+| | https://www.microsoft.com/pkiops/* | | | |
+| Cortana and Search | store-images.*microsoft.com | | | |
+| | www.bing.com/client | | | |
+| | www.bing.com | | | |
+| | www.bing.com/proactive | | | |
+| | www.bing.com/threshold/xls.aspx | | | |
+| | exo-ring.msedge.net | | | |
+| | fp.msedge.net | | | |
+| | fp-vp.azureedge.net | | | |
+| | odinvzc.azureedge.net | | | |
+| | spo-ring.msedge.net | | | |
+| Device Authentication | login.live.com* | | | |
+| Device metadata | dmd.metaservices.microsoft.com | | | |
+| Location | inference.location.live.net | | | |
+| | location-inference-westus.cloudapp.net | | | |
+| Diagnostic Data | v10.events.data.microsoft.com | | | |
+| | v10.vortex-win.data.microsoft.com/collect/v1 | | | |
+| | https://www.microsoft.com | | | |
+| | co4.telecommand.telemetry.microsoft.com | | | |
+| | cs11.wpc.v0cdn.net | | | |
+| | cs1137.wpc.gammacdn.net | | | |
+| | modern.watson.data.microsoft.com* | | | |
+| | watson.telemetry.microsoft.com | | | |
+| Licensing | licensing.mp.microsoft.com | | | |
+| Microsoft Account | login.msa.akadns6.net | | | |
+| | us.configsvc1.live.com.akadns.net | | | |
+| Microsoft Edge | iecvlist.microsoft.com | | | |
+| Microsoft forward link redirection service (FWLink) | go.microsoft.com | | | |
+| Microsoft Store | *.wns.windows.com | | | |
+| | storecatalogrevocation.storequality.microsoft.com | | | |
+| | img-prod-cms-rt-microsoft-com* | | | |
+| | store-images.microsoft.com | | | |
+| | .md.mp.microsoft.com | | |
+| | *displaycatalog.mp.microsoft.com | | | |
+| | pti.store.microsoft.com | | | |
+| | storeedgefd.dsx.mp.microsoft.com | | | |
+| | markets.books.microsoft.com | | | |
+| | share.microsoft.com | | | |
+| Network Connection Status Indicator (NCSI) | www.msftconnecttest.com* | | | |
+| Office | *.c-msedge.net | | | |
+| | *.e-msedge.net | | | |
+| | *.s-msedge.net | | | |
+| | nexusrules.officeapps.live.com | | | |
+| | ocos-office365-s2s.msedge.net | | | |
+| | officeclient.microsoft.com | | | |
+| | outlook.office365.com | | | |
+| | client-office365-tas.msedge.net | | | |
+| | https://www.office.com | | | |
+| | onecollector.cloudapp.aria | | | |
+| | v10.events.data.microsoft.com/onecollector/1.0/ | | | |
+| | self.events.data.microsoft.com | | | |
+| | to-do.microsoft.com | | | |
+| OneDrive | g.live.com/1rewlive5skydrive/* | | | |
+| | msagfx.live.com | | | |
+| | oneclient.sfx.ms | | | |
+| Photos App | evoke-windowsservices-tas.msedge.net | | | |
+| Settings | cy2.settings.data.microsoft.com.akadns.net | | | |
+| | settings.data.microsoft.com | | | |
+| | settings-win.data.microsoft.com | | | |
+| Windows Defender | wdcp.microsoft.com | | | |
+| | definitionupdates.microsoft.com | | | |
+| | go.microsoft.com | | | |
+| | *smartscreen.microsoft.com | | | |
+| | smartscreen-sn3p.smartscreen.microsoft.com | | | |
+| | unitedstates.smartscreen-prod.microsoft.com | | | |
+| Windows Spotlight | *.search.msn.com | | | |
+| | arc.msn.com | | | |
+| | g.msn.com* | | | |
+| | query.prod.cms.rt.microsoft.com | | | |
+| | ris.api.iris.microsoft.com | | | |
+| Windows Update | *.prod.do.dsp.mp.microsoft.com | | | |
+| | cs9.wac.phicdn.net | | | |
+| | emdl.ws.microsoft.com | | | |
+| | *.dl.delivery.mp.microsoft.com | | | |
+| | *.windowsupdate.com | | | |
+| | *.delivery.mp.microsoft.com | | | |
+| | *.update.microsoft.com | | | |
+
+
+
+## References
+
+> [!NOTE]
+> If you are deploying D365 Remote Assist, you will have to enable the endpoints on this [list](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams)
+- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization)
+- [Manage connection endpoints for Windows 10 Enterprise, version 1903](https://docs.microsoft.com/windows/privacy/manage-windows-1903-endpoints)
+- [Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+- [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
+- [Intune network configuration requirements and bandwidth](https://docs.microsoft.com/intune/fundamentals/network-bandwidth-use#network-communication-requirements)
+- [Network endpoints for Microsoft Intune](https://docs.microsoft.com/intune/fundamentals/intune-endpoints)
+- [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges)
+- [Prerequisites for Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-install-prerequisites)
-- [Technical reference for AAD related IP ranges and URLs](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges)
## HoloLens limitations
diff --git a/devices/hololens/images/aad-kioskmode.PNG b/devices/hololens/images/aad-kioskmode.PNG
new file mode 100644
index 0000000000..c058f25241
Binary files /dev/null and b/devices/hololens/images/aad-kioskmode.PNG differ
diff --git a/devices/hololens/images/azure-ad-image.PNG b/devices/hololens/images/azure-ad-image.PNG
new file mode 100644
index 0000000000..e0215265f6
Binary files /dev/null and b/devices/hololens/images/azure-ad-image.PNG differ
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index 20c6c45925..74505ca6ff 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -129,17 +129,16 @@ To deploy apps to a large number of Surface Hubs in your organization, use a sup
| MDM provider | Supports offline-licensed app packages |
|-----------------------------|----------------------------------------|
-| On-premises MDM with System Center Configuration Manager (beginning in version 1602) | Yes |
-| Hybrid MDM with System Center Configuration Manager and Microsoft Intune | Yes |
-| [Microsoft Intune standalone](https://docs.microsoft.com/intune/windows-store-for-business) | Yes |
+| On-premises MDM with Configuration Manager (beginning in version 1602) | Yes |
+|
| Third-party MDM provider | Check to make sure your MDM provider supports deploying offline-licensed app packages. |
-**To deploy apps remotely using System Center Configuration Manager (either on-prem MDM or hybrid MDM)**
+**To deploy apps remotely using Microsoft Endpoint Configuration Manager**
> [!NOTE]
-> These instructions are based on the current branch of System Center Configuration Manager.
+> These instructions are based on the current branch of Microsoft Endpoint Configuration Manager.
-1. Enroll your Surface Hubs to System Center Configuration Manager. For more information, see [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md#enroll-into-mdm).
+1. Enroll your Surface Hubs to Configuration Manager. For more information, see [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md#enroll-into-mdm).
2. Download the offline-licensed app package, the *encoded* license file, and any necessary dependency files from the Store for Business. For more information, see [Download an offline-licensed app](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app). Place the downloaded files in the same folder on a network share.
3. In the **Software Library** workspace of the Configuration Manager console, click **Overview** > **Application Management** > **Applications**.
4. On the **Home** tab, in the **Create** group, click **Create Application**.
@@ -150,11 +149,11 @@ To deploy apps to a large number of Surface Hubs in your organization, use a sup
9. On the **General Information** page, complete additional details about the app. Some of this information might already be populated if it was automatically obtained from the app package.
10. Click **Next**, review the application information on the Summary page, and then complete the Create Application Wizard.
11. Create a deployment type for the application. For more information, see [Create deployment types for the application](https://docs.microsoft.com/sccm/apps/deploy-use/create-applications#create-deployment-types-for-the-application).
-12. Deploy the application to your Surface Hubs. For more information, see [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications).
-13. As needed, update the app by downloading a new package from the Store for Business, and publishing an application revision in Configuration Manager. For more information, see [Update and retire applications with System Center Configuration Manager](https://technet.microsoft.com/library/mt595704.aspx).
+12. Deploy the application to your Surface Hubs. For more information, see [Deploy applications with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications).
+13. As needed, update the app by downloading a new package from the Store for Business, and publishing an application revision in Configuration Manager. For more information, see [Update and retire applications with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt595704.aspx).
> [!NOTE]
-> If you are using System Center Configuration Manager (current branch), you can bypass the above steps by connecting the Store for Business to System Center Configuration Manager. By doing so, you can synchronize the list of apps you've purchased with System Center Configuration Manager, view these in the Configuration Manager console, and deploy them like you would any other app. For more information, see [Manage apps from the Microsoft Store for Business with System Center Configuration Manager](https://technet.microsoft.com/library/mt740630.aspx).
+> If you are using Microsoft Endpoint Configuration Manager (current branch), you can bypass the above steps by connecting the Store for Business to Configuration Manager. By doing so, you can synchronize the list of apps you've purchased with Configuration Manager, view these in the Configuration Manager console, and deploy them like you would any other app. For more information, see [Manage apps from the Microsoft Store for Business with Configuration Manager](https://technet.microsoft.com/library/mt740630.aspx).
## Summary
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index 91d561934c..b3a74fc47d 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -19,9 +19,8 @@ ms.localizationpriority: medium
Surface Hub and other Windows 10 devices allow IT administrators to manage settings and policies using a mobile device management (MDM) provider. A built-in management component communicates with the management server, so there is no need to install additional clients on the device. For more information, see [Windows 10 mobile device management](https://msdn.microsoft.com/library/windows/hardware/dn914769.aspx).
Surface Hub has been validated with Microsoft’s first-party MDM providers:
-- On-premises MDM with System Center Configuration Manager (beginning in version 1602)
-- Hybrid MDM with System Center Configuration Manager and Microsoft Intune
- Microsoft Intune standalone
+- On-premises MDM with Microsoft Endpoint Configuration Manager
You can also manage Surface Hubs using any third-party MDM provider that can communicate with Windows 10 using the MDM protocol.
@@ -32,7 +31,7 @@ You can enroll your Surface Hubs using bulk, manual, or automatic enrollment.
**To configure bulk enrollment**
- Surface Hub supports the [Provisioning CSP](https://msdn.microsoft.com/library/windows/hardware/mt203665.aspx) for bulk enrollment into MDM. For more information, see [Windows 10 bulk enrollment](https://msdn.microsoft.com/library/windows/hardware/mt613115.aspx).
--OR--
-- If you have an on-premises System Center Configuration Manager infrastructure, see [How to bulk enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx).
+- If you have an on-premises Microsoft Endpoint Configuration Manager infrastructure, see [How to bulk enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm).
### Manual enrollment
**To configure manual enrollment**
@@ -52,11 +51,11 @@ Then, when devices are setup during First-run, pick the option to join to Azure
## Manage Surface Hub settings with MDM
-You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings). Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML.
+You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings). Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and Microsoft Endpoint Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML.
### Supported Surface Hub CSP settings
-You can configure the Surface Hub settings in the following table using MDM. The table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
+You can configure the Surface Hub settings in the following table using MDM. The table identifies if the setting is supported with Microsoft Intune, Microsoft Endpoint Configuration Manager, or SyncML.
For more information, see [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323).
@@ -92,7 +91,7 @@ For more information, see [SurfaceHub configuration service provider](https://ms
In addition to Surface Hub-specific settings, there are numerous settings common to all Windows 10 devices. These settings are defined in the [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference).
-The following tables include info on Windows 10 settings that have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
+The following tables include info on Windows 10 settings that have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table identifies if the setting is supported with Microsoft Intune, Microsoft Endpoint Configuration Manager, or SyncML.
#### Security settings
@@ -160,10 +159,10 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with Intune? | Supported with Configuration Manager? | Supported with SyncML\*? |
|---------------------------------|--------------------------------------------------------------|----------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|
-| Install trusted CA certificates | Use to deploy trusted root and intermediate CA certificates. | [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) | Yes. See [Configure Intune certificate profiles](https://docs.microsoft.com/intune/deploy-use/configure-intune-certificate-profiles). | Yes. See [How to create certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/create-certificate-profiles). | Yes |
+| Install trusted CA certificates | Use to deploy trusted root and intermediate CA certificates. | [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) | Yes. See [Configure Intune certificate profiles](https://docs.microsoft.com/intune/deploy-use/configure-intune-certificate-profiles). | Yes. See [How to create certificate profiles in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/create-certificate-profiles). | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -202,7 +201,7 @@ The following tables include info on Windows 10 settings that have been validate
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
### Generate OMA URIs for settings
-You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager.
+You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager.
**To generate the OMA URI for any setting in the CSP documentation**
1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/`
@@ -226,11 +225,11 @@ You can use Microsoft Intune to manage Surface Hub settings. For custom settings
-## Example: Manage Surface Hub settings with System Center Configuration Manager
-System Center Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use System Center Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs.
+## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager
+Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs.
> [!NOTE]
-> These instructions are based on the current branch of System Center Configuration Manager.
+> These instructions are based on the current branch of Configuration Manager.
**To create a configuration item for Surface Hub settings**
@@ -265,7 +264,7 @@ System Center Configuration Manager supports managing modern devices that do not
18. When you're done, on the **Browse Settings** dialog, click **Close**.
19. Complete the wizard. You can view the new configuration item in the **Configuration Items** node of the **Assets and Compliance** workspace.
-For more information, see [Create configuration items for Windows 8.1 and Windows 10 devices managed without the System Center Configuration Manager client](https://docs.microsoft.com/sccm/compliance/deploy-use/create-configuration-items-for-windows-8.1-and-windows-10-devices-managed-without-the-client).
+For more information, see [Create configuration items for Windows 8.1 and Windows 10 devices managed without the Microsoft Endpoint Configuration Manager client](https://docs.microsoft.com/configmgr/compliance/deploy-use/create-configuration-items-for-windows-8.1-and-windows-10-devices-managed-without-the-client).
## Related topics
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index fcd75f6dfd..4ad681ff5f 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -19,7 +19,7 @@ ms.localizationpriority: medium
After initial setup of Microsoft Surface Hub, the device’s settings and configuration can be modified or changed in a couple ways:
- **Local management** - Every Surface Hub can be configured locally using the **Settings** app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. For more information, see [Local management for Surface Hub settings](local-management-surface-hub-settings.md).
-- **Remote management** - Surface Hub allow IT admins to manage settings and policies using a mobile device management (MDM) provider, such as Microsoft Intune, System Center Configuration Manager, and other third-party providers. Additionally, admins can monitor Surface Hubs using Microsoft Operations Management Suite (OMS). For more information, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md), and [Monitor your Microsoft Surface Hub](monitor-surface-hub.md).
+- **Remote management** - Surface Hub allow IT admins to manage settings and policies using a mobile device management (MDM) provider, such as Microsoft Intune, Microsoft Endpoint Configuration Manager, and other third-party providers. Additionally, admins can monitor Surface Hubs using Microsoft Operations Management Suite (OMS). For more information, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md), and [Monitor your Microsoft Surface Hub](monitor-surface-hub.md).
> [!NOTE]
> These management methods are not mutually exclusive. Devices can be both locally and remotely managed if you choose. However, MDM policies and settings will overwrite any local changes when the Surface Hub syncs with the management server.
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 4535bd1f1b..961a12fcd0 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -58,7 +58,7 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business
2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates).
> [!NOTE]
-> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://docs.microsoft.com/windows/deployment/update/waas-wufb-intune)
+> You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://docs.microsoft.com/windows/deployment/update/waas-wufb-intune)
### Group Surface Hub into deployment rings
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index a6eb33d8f4..198dba4f74 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -28,7 +28,7 @@ Review these dependencies to make sure Surface Hub features will work in your IT
| Active Directory or Azure Active Directory (Azure AD) |
The Surface Hub's uses an Active Directory or Azure AD account (called a **device account**) to access Exchange and Skype for Business services. The Surface Hub must be able to connect to your Active Directory domain controller or to your Azure AD tenant in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.
You can also domain join or Azure AD join your Surface Hub to allow a group of authorized users to configure settings on the Surface Hub. |
| Exchange (Exchange 2013 or later, or Exchange Online) and Exchange ActiveSync |
Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.
ActiveSync is used to sync the device account’s calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled. |
| Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.|
-| Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. |
+| Mobile device management (MDM) solution (Microsoft Intune, Microsoft Endpoint Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. |
| Microsoft Operations Management Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. |
| Network and Internet access | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1X Authentication is supported for both wired and wireless connections.**802.1X authentication:** In Windows 10, version 1703, 802.1X authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1X authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1X authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1X authentication will start working automatically.**Note:** For more information on enabling 802.1X wired authentication on Surface Hub, see [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md).**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. |
diff --git a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
index 40a5768d27..0e5600c12c 100644
--- a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
+++ b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
@@ -93,7 +93,7 @@ Internet Connectivity |Device does have Internet connectivity |Device does not h
HTTP Version |1.1 |1.0 |If HTTP 1.0 found, it will cause issue with WU and Store |
Direct Internet Connectivity |Device has a Proxy configured Device has no Proxy configured |N/A |Informational. Is your device behind a proxy? |
Proxy Address | | |If configured, returns proxy address. |
-Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated thru the proxy. |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/)
+Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated through the proxy. |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/)
Proxy Auth Types | | |If proxy authentication is used, return the Authentication methods advertised by the proxy. |
#### Environment
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index bc26815d56..53918a7ad5 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -28,7 +28,7 @@
### [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md)
### [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
### [Surface Pro X app compatibility](surface-pro-arm-app-performance.md)
-### [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
+### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
@@ -40,13 +40,14 @@
## Manage
+### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
### [Optimize Wi-Fi connectivity for Surface devices](surface-wireless-connect.md)
### [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)
### [Surface Dock Firmware Update](surface-dock-firmware-update.md)
### [Battery Limit setting](battery-limit.md)
### [Surface Brightness Control](microsoft-surface-brightness-control.md)
### [Surface Asset Tag](assettag.md)
-### [Manage Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
+
## Secure
### [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md)
@@ -55,7 +56,7 @@
### [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
-### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
+### [Use Microsoft Endpoint Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
### [Surface Data Eraser](microsoft-surface-data-eraser.md)
## Troubleshoot
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index ebbb3fc3b5..18fc041b85 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -18,6 +18,12 @@ ms.date: 10/21/2019
This topic lists new and updated topics in the Surface documentation library.
+## January 2020
+| **New or changed topic** | **Description** |
+| ------------------------ | --------------- |
+| [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)| Updated with the latest information and links to related articles.|
+
+
## October 2019
| **New or changed topic** | **Description** |
@@ -37,7 +43,7 @@ This topic lists new and updated topics in the Surface documentation library.
| **New or changed topic** | **Description** |
| ------------------------ | --------------- |
| [Optimizing wireless connectivity for Surface devices](surface-wireless-connect.md) | New document highlights key wireless connectivity considerations for Surface devices in mobile scenarios. |
-| [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Updated to reflect minor changes in the file naming convention for Surface MSI files. |
+| [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Updated to reflect minor changes in the file naming convention for Surface MSI files. |
## July 2019
@@ -76,14 +82,14 @@ New or changed topic | Description
--- | ---
[Surface Brightness Control](microsoft-surface-brightness-control.md) | New
[Maintain optimal power settings on Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) | New
-|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Studio 2 |
+|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface Studio 2 |
## November 2018
New or changed topic | Description
--- | ---
-|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Pro 6 |
+|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface Pro 6 |
[Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | New
[Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) | New
[Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) | New
@@ -93,7 +99,7 @@ New or changed topic | Description
New or changed topic | Description
--- | ---
[Battery Limit setting](battery-limit.md) | New
-|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface GO |
+|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface GO |
## May 2018
@@ -121,7 +127,7 @@ New or changed topic | Description
|New or changed topic | Description |
| --- | --- |
-|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Book 2, Surface Laptop, Surface Pro, and Surface Pro with LTE Advanced information |
+|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added Surface Book 2, Surface Laptop, Surface Pro, and Surface Pro with LTE Advanced information |
## October 2017
@@ -160,14 +166,14 @@ New or changed topic | Description
|New or changed topic | Description |
| --- | --- |
-|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)|
+|[Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)|
## November 2016
|New or changed topic | Description |
| --- | --- |
|[Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | Added procedure for viewing certificate thumbprint. |
-|[Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) | New |
+|[Use Microsoft Endpoint Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) | New |
@@ -175,7 +181,7 @@ New or changed topic | Description
| New or changed topic | Description |
| --- | --- |
-| [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) | New |
+| [Considerations for Surface and Microsoft Endpoint Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) | New |
| [Long-term servicing branch for Surface devices](ltsb-for-surface.md) | New |
diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
index 2513abc0f9..0b9915c4b0 100644
--- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
+++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
@@ -16,25 +16,23 @@ ms.reviewer:
manager: dansimp
---
-# Considerations for Surface and System Center Configuration Manager
+# Considerations for Surface and Microsoft Endpoint Configuration Manager
-Fundamentally, management and deployment of Surface devices with System Center Configuration Manager is the same as the management and deployment of any other PC. Like any other PC, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client; to publish apps, settings, and policies, you use the same process as you would use for any other device.
+Fundamentally, management and deployment of Surface devices with Microsoft Endpoint Configuration Manager is the same as the management and deployment of any other PC. Like any other PC, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client; to publish apps, settings, and policies, you use the same process as you would use for any other device.
-You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for System Center Configuration Manager](https://docs.microsoft.com/sccm/index).
+You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/index).
Although the deployment and management of Surface devices is fundamentally the same as any other PC, there are some scenarios that may require additional considerations or steps. This article provides descriptions and guidance for these scenarios. The solutions documented in this article may apply to other devices and manufacturers as well.
> [!NOTE]
-> For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
+> For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.
## Updating Surface device drivers and firmware
-
-For devices that recieve updates through Windows Update, drivers for Surface components (and even firmware updates) are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS) or System Center Configuration Manager, see [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates/).
-
+For devices that recieve updates through Windows Update, drivers for Surface components (and even firmware updates) are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS) or Configuration Manager, see [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates/).
> [!NOTE]
-> Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2. For more information, see [Can't import drivers into System Center Configuration Manager (KB3025419)](https://support.microsoft.com/kb/3025419).
+> Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2. For more information, see [Can't import drivers into Microsoft Endpoint Configuration Manager (KB3025419)](https://support.microsoft.com/kb/3025419).
## Surface Ethernet adapters and Configuration Manager deployment
@@ -42,9 +40,9 @@ The default mechanism that Configuration Manager uses to identify devices during
To ensure that Surface devices using the same Ethernet adapter are identified as unique devices during deployment, you can instruct Configuration Manager to identify devices using another method. This other method could be the MAC address of the wireless network adapter or the System Universal Unique Identifier (System UUID). You can specify that Configuration Manager use other identification methods with the following options:
-* Add an exclusion for the MAC addresses of Surface Ethernet adapters, which forces Configuration Manager to overlook the MAC address in preference of the System UUID, as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
+* Add an exclusion for the MAC addresses of Surface Ethernet adapters, which forces Configuration Manager to overlook the MAC address in preference of the System UUID, as documented in the [Reusing the same NIC for multiple PXE initiated deployments in SMicrosoft Endpoint Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
-* Prestage devices by System UUID as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
+* Prestage devices by System UUID as documented in the [Reusing the same NIC for multiple PXE initiated deployments in Microsoft Endpoint Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
* Use a script to identify a newly deployed Surface device by the MAC address of its wireless adapter, as documented in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post.
@@ -60,7 +58,7 @@ With the release of Microsoft Store for Business, Surface app is no longer avail
If your organization uses prestaged media to pre-load deployment resources on to machines prior to deployment with Configuration Manager, the nature of Surface devices as UEFI devices may require you to take additional steps. Specifically, a native UEFI environment requires that you create multiple partitions on the boot disk of the system. If you are following along with the [documentation for prestaged media](https://technet.microsoft.com/library/79465d90-4831-4872-96c2-2062d80f5583?f=255&MSPPError=-2147217396#BKMK_CreatePrestagedMedia), the instructions provide for only single partition boot disks and therefore will fail when applied to Surface devices.
-Instructions for applying prestaged media to UEFI devices, such as Surface devices, can be found in the [How to apply Task Sequence Prestaged Media on multi-partitioned disks for BIOS or UEFI PCs in System Center Configuration Manager](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2014/04/02/how-to-apply-task-sequence-prestaged-media-on-multi-partitioned-disks-for-bios-or-uefi-pcs-in-system-center-configuration-manager/) blog post.
+Instructions for applying prestaged media to UEFI devices, such as Surface devices, can be found in the [How to apply Task Sequence Prestaged Media on multi-partitioned disks for BIOS or UEFI PCs in Microsoft Endpoint Configuration Manager](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2014/04/02/how-to-apply-task-sequence-prestaged-media-on-multi-partitioned-disks-for-bios-or-uefi-pcs-in-system-center-configuration-manager/) blog post.
## Licensing conflicts with OEM Activation 3.0
diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md
index efc6802f8f..46c321367b 100644
--- a/devices/surface/customize-the-oobe-for-surface-deployments.md
+++ b/devices/surface/customize-the-oobe-for-surface-deployments.md
@@ -34,7 +34,7 @@ In some scenarios, you may want to provide complete automation to ensure that at
This article provides a summary of the scenarios where a deployment might require additional steps. It also provides the required information to ensure that the desired experience is achieved on any newly deployed Surface device. This article is intended for administrators who are familiar with the deployment process, as well as concepts such as answer files and [reference images](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image).
>[!NOTE]
->Although the OOBE phase of setup is still run during a deployment with an automated deployment solution such as the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117) or System Center Configuration Manager Operating System Deployment (OSD), it is automated by the settings supplied in the Deployment Wizard and task sequence. For more information see:
+>Although the OOBE phase of setup is still run during a deployment with an automated deployment solution such as the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117) or Microsoft Endpoint Configuration Manager Operating System Deployment (OSD), it is automated by the settings supplied in the Deployment Wizard and task sequence. For more information see:
>- [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit)
>- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager)
diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
index 7c3f3bd079..a03f6e46fa 100644
--- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md
+++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
@@ -101,7 +101,7 @@ After you add an app to the Microsoft Store for Business account in Offline mode
*Figure 4. Download the AppxBundle package for an app*
5. Click **Download**. The AppxBundle package will be downloaded. Make sure you note the path of the downloaded file because you’ll need that later in this article.
-6. Click either the **Encoded license** or **Unencoded license** option. Use the Encoded license option with management tools like System Center Configuration Manager or when you use Windows Configuration Designer to create a provisioning package. Select the Unencoded license option when you use Deployment Image Servicing and Management (DISM) or deployment solutions based on imaging, including the Microsoft Deployment Toolkit (MDT).
+6. Click either the **Encoded license** or **Unencoded license** option. Use the Encoded license option with management tools like Microsoft Endpoint Configuration Manager or when you use Windows Configuration Designer to create a provisioning package. Select the Unencoded license option when you use Deployment Image Servicing and Management (DISM) or deployment solutions based on imaging, including the Microsoft Deployment Toolkit (MDT).
7. Click **Generate** to generate and download the license for the app. Make sure you note the path of the license file because you’ll need that later in this article.
>[!NOTE]
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
deleted file mode 100644
index 92527470f2..0000000000
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: Deploy the latest firmware and drivers for Surface devices (Surface)
-description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
-ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A
-ms.reviewer: dansimp
-manager: kaushika
-keywords: update Surface, newest, latest, download, firmware, driver, tablet, hardware, device
-ms.localizationpriority: medium
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: surface, devices
-ms.sitesec: library
-author: dansimp
-ms.audience: itpro
-ms.date: 11/25/2019
-ms.author: dansimp
-ms.topic: article
----
-
-# Deploy the latest firmware and drivers for Surface devices
-
-> **Home users:** This article is only intended for technical support agents and IT professionals, and applies only to Surface devices. If you're looking for help to install Surface updates or firmware on a home device, please see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505).
-
-Under typical conditions, Windows Update automatically keeps Windows Surface devices up-to-date by downloading and installing the latest device drivers and firmware. However, you may sometimes have to download and install updates manually. For example, you may have to manually manage updates when you deploy a new version of Windows.
-
-## Downloading MSI files
-
-[Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface) provides links to download installation files for the following:
-
-- Administrative tools
-- Drivers for accessories
-- For some devices, updates for Windows
-
-## Deploying MSI files
-
-Specific versions of Windows 10 have separate MSI files. Each MSI file contains all required cumulative driver and firmware updates for Surface devices.
-
-The MSI file names contain useful information, including the minimum supported Windows build number that is required to install the drivers and firmware. For example, to install the drivers that are contained in SurfaceBook_Win10_17763_19.080.2031.0.msi on a Surface Book, the device must be running Windows 10 Fall Creators Update, version 1709 or later.
-
-For more information about build numbers for each Windows version, see [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information).
-
-### Surface MSI naming convention
-
-Beginning in August, 2019, MSI files have used the following naming convention:
-
-> *Product*\_*Windows release*\_*Windows build number*\_*Version number*\_*Revision of version number (typically zero)*.
-
-**Example**
-
-Consider the following MSI file:
-
-> SurfacePro6_Win10_18362_19.073.44195_0.msi
-
-This file name provides the following information:
-
-- **Product:** SurfacePro6
-- **Windows release:** Win10
-- **Build:** 18362
-- **Version:** 19.073.44195 – This shows the date and time that the file was created, as follows:
- - **Year:** 19 (2019)
- - **Month and week:** 073 (third week of July)
- - **Minute of the month:** 44195
-- **Revision of version:** 0 (first release of this version)
-
-### Legacy Surface MSI naming convention
-
-Legacy MSI files (files that were built before August, 2019) followed the same overall naming formula, but used a different method to derive the version number.
-
-**Example**
-
-Consider the following MSI file:
-
-> SurfacePro6_Win10_16299_1900307_0.msi
-
-This file name provides the following information:
-
-- **Product:** SurfacePro6
-- **Windows release:** Win10
-- **Build:** 16299
-- **Version:** 1900307 – This shows the date that the file was created and its position in the release sequence, as follows:
- - **Year:** 19 (2019)
- - **Number of release:** 003 (third release of the year)
- - **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro)
-- **Revision of version:** 0 (first release of this version)
-
-Use the **version** number to determine the latest files that contain the most recent security updates. For example, consider the following list:
-
-- SurfacePro6_Win10_16299_1900307_0.msi
-- SurfacePro6_Win10_17134_1808507_3.msi
-- SurfacePro6_Win10_17763_1808707_3.msi
-
-In this list, the newest file is the first file (SurfacePro6_Win10_16299_1900307_0.msi). Its **Version** field has the newest date (2019). The other files are from 2018.
-
-## Supported devices
-
-For downloadable MSI files for devices that run Surface Pro 2 and later versions, see [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface). This article contains information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3, as they are released.
-
-> [!NOTE]
-> There are no downloadable firmware or driver updates available for Surface devices that run Windows RT, including Surface RT and Surface 2. To update these devices, use Windows Update.
-
-For more information about how to deploy Surface drivers and firmware, see the following articles:
-
-- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates)
-
-- [Surface for Business help](https://www.microsoft.com/surface/support/business)
diff --git a/devices/surface/documentation/surface-system-sku-reference.md b/devices/surface/documentation/surface-system-sku-reference.md
index c0aa8460a0..55a45cdd43 100644
--- a/devices/surface/documentation/surface-system-sku-reference.md
+++ b/devices/surface/documentation/surface-system-sku-reference.md
@@ -43,7 +43,7 @@ You can also find the System SKU and System Model for a device in System Informa
- Click **Start** > **MSInfo32**.
### WMI
-You can use System SKU variables in a Task Sequence WMI Condition in the Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager. For example:
+You can use System SKU variables in a Task Sequence WMI Condition in the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. For example:
- WMI Namespace – Root\WMI
- WQL Query – SELECT * FROM MS_SystemInformation WHERE SystemSKU = "Surface_Pro_1796"
diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
index 580498d41a..49e1bc555b 100644
--- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
+++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
@@ -23,7 +23,7 @@ Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on yo
If you use PEAP, EAP-FAST, or Cisco LEAP in your enterprise network, you probably already know that these three wireless authentication protocols are not supported by Surface devices out of the box. Some users may discover this when they attempt to connect to your wireless network; others may discover it when they are unable to gain access to resources inside the network, like file shares and internal sites. For more information, see [Extensible Authentication Protocol](https://technet.microsoft.com/network/bb643147).
-You can add support for each protocol by executing a small MSI package from a USB stick or from a file share. For organizations that want to enable EAP support on their Surface devices, the MSI package format supports deployment with many management and deployment tools, like the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager.
+You can add support for each protocol by executing a small MSI package from a USB stick or from a file share. For organizations that want to enable EAP support on their Surface devices, the MSI package format supports deployment with many management and deployment tools, like the Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager.
## Download PEAP, EAP-FAST, or Cisco LEAP installation files
diff --git a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
index 855d637526..b49b04d13a 100644
--- a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
+++ b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
@@ -1,5 +1,5 @@
---
-title: How to enable the Surface Laptop keyboard during MDT deployment (Surface)
+title: How to enable the Surface Laptop keyboard during MDT deployment
description: When you use MDT to deploy Windows 10 to Surface laptops, you need to import keyboard drivers to use in the Windows PE environment.
keywords: windows 10 surface, automate, customize, mdt
ms.prod: w10
@@ -9,7 +9,7 @@ ms.sitesec: library
author: Teresa-Motiv
ms.author: v-tea
ms.topic: article
-ms.date: 10/31/2019
+ms.date: 01/30/2020
ms.reviewer: scottmca
ms.localizationpriority: medium
ms.audience: itpro
@@ -22,14 +22,14 @@ appliesto:
# How to enable the Surface Laptop keyboard during MDT deployment
+This article addresses a deployment approach that uses Microsoft Deployment Toolkit (MDT). You can also apply this information to other deployment methodologies. On most types of Surface devices, the keyboard should work during Lite Touch Installation (LTI). However, Surface Laptop requires some additional drivers to enable the keyboard. For Surface Laptop (1st Gen) and Surface Laptop 2 devices, you must prepare the folder structure and selection profiles that allow you to specify keyboard drivers for use during the Windows Preinstallation Environment (Windows PE) phase of LTI. For more information about this folder structure, see [Deploy a Windows 10 image using MDT: Step 5: Prepare the drivers repository](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt?redirectedfrom=MSDN#step-5-prepare-the-drivers-repository).
+
> [!NOTE]
-> This article addresses a deployment approach that uses Microsoft Deployment Toolkit (MDT). You can also apply this information to other deployment methodologies.
+> It is currently not supported to add Surface Laptop 2 and Surface Laptop 3 keyboard drivers in the same Windows PE boot instance due to a driver conflict; use separate instances instead.
> [!IMPORTANT]
> If you are deploying a Windows 10 image to a Surface Laptop that has Windows 10 in S mode preinstalled, see KB [4032347, Problems when deploying Windows to Surface devices with preinstalled Windows 10 in S mode](https://support.microsoft.com/help/4032347/surface-preinstall-windows10-s-mode-issues).
-On most types of Surface devices, the keyboard should work during Lite Touch Installation (LTI). However, Surface Laptop requires some additional drivers to enable the keyboard. For Surface Laptop (1st Gen) and Surface Laptop 2 devices, you must prepare the folder structure and selection profiles that allow you to specify keyboard drivers for use during the Windows Preinstallation Environment (Windows PE) phase of LTI. For more information about this folder structure, see [Deploy a Windows 10 image using MDT: Step 5: Prepare the drivers repository](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt?redirectedfrom=MSDN#step-5-prepare-the-drivers-repository).
-
To add the keyboard drivers to the selection profile, follow these steps:
1. Download the latest Surface Laptop MSI file from the appropriate locations:
@@ -58,12 +58,14 @@ To support Surface Laptop (1st Gen), import the following folders:
- SurfacePlatformInstaller\Drivers\System\GPIO
- SurfacePlatformInstaller\Drivers\System\SurfaceHidMiniDriver
- SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver
+ - SurfacePlatformInstaller\Drivers\System\PreciseTouch
Or for newer MSI files beginning with "SurfaceUpdate", use:
- SurfaceUpdate\SerialIOGPIO
- SurfaceUpdate\SurfaceHidMiniDriver
- SurfaceUpdate\SurfaceSerialHubDriver
+- SurfaceUpdate\Itouch
To support Surface Laptop 2, import the following folders:
@@ -73,6 +75,7 @@ To support Surface Laptop 2, import the following folders:
- SurfacePlatformInstaller\Drivers\System\I2C
- SurfacePlatformInstaller\Drivers\System\SPI
- SurfacePlatformInstaller\Drivers\System\UART
+ - SurfacePlatformInstaller\Drivers\System\PreciseTouch
Or for newer MSI files beginning with "SurfaceUpdate", use:
@@ -82,6 +85,7 @@ Or for newer MSI files beginning with "SurfaceUpdate", use:
- SurfaceUpdate\IclSerialIOUART
- SurfaceUpdate\SurfaceHidMini
- SurfaceUpdate\SurfaceSerialHub
+- SurfaceUpdate\Itouch
To support Surface Laptop 3 with Intel Processor, import the following folders:
@@ -93,7 +97,57 @@ To support Surface Laptop 3 with Intel Processor, import the following folders:
- SurfaceUpdate\SurfaceHidMini
- SurfaceUpdate\SurfaceSerialHub
- SurfaceUpdate\SurfaceHotPlug
-
+- SurfaceUpdate\Itouch
+ > [!NOTE]
+ > Check the downloaded MSI package to determine the format and directory structure. The directory structure will start with either SurfacePlatformInstaller (older MSI files) or SurfaceUpdate (Newer MSI files) depending on when the MSI was released.
+
+ To support Surface Laptop (1st Gen), import the following folders:
+
+ - SurfacePlatformInstaller\Drivers\System\GPIO
+ - SurfacePlatformInstaller\Drivers\System\SurfaceHidMiniDriver
+ - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver
+ - SurfacePlatformInstaller\Drivers\System\PreciseTouch
+
+ Or for newer MSI files beginning with "SurfaceUpdate", use:
+
+ - SurfaceUpdate\SerialIOGPIO
+ - SurfaceUpdate\SurfaceHidMiniDriver
+ - SurfaceUpdate\SurfaceSerialHubDriver
+ - SurfaceUpdate\Itouch
+
+ To support Surface Laptop 2, import the following folders:
+
+ - SurfacePlatformInstaller\Drivers\System\GPIO
+ - SurfacePlatformInstaller\Drivers\System\SurfaceHIDMiniDriver
+ - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver
+ - SurfacePlatformInstaller\Drivers\System\I2C
+ - SurfacePlatformInstaller\Drivers\System\SPI
+ - SurfacePlatformInstaller\Drivers\System\UART
+ - SurfacePlatformInstaller\Drivers\System\PreciseTouch
+
+ Or for newer MSI files beginning with "SurfaceUpdate", use:
+
+ - SurfaceUpdate\SerialIOGPIO
+ - SurfaceUpdate\IclSerialIOI2C
+ - SurfaceUpdate\IclSerialIOSPI
+ - SurfaceUpdate\IclSerialIOUART
+ - SurfaceUpdate\SurfaceHidMini
+ - SurfaceUpdate\SurfaceSerialHub
+ - SurfaceUpdate\Itouch
+
+ To support Surface Laptop 3 with Intel Processor, import the following folders:
+
+ - SurfaceUpdate\IclSerialIOGPIO
+ - SurfaceUpdate\IclSerialIOI2C
+ - SurfaceUpdate\IclSerialIOSPI
+ - SurfaceUpdate\IclSerialIOUART
+ - SurfaceUpdate\SurfaceHidMini
+ - SurfaceUpdate\SurfaceSerialHub
+ - SurfaceUpdate\SurfaceHotPlug
+ - SurfaceUpdate\Itouch
+
+ > [!NOTE]
+ > For Surface Laptop 3 with Intel processor, the model is Surface Laptop 3. The remaining Surface Laptop drivers are located in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop 3 folder.
6. Verify that the WindowsPEX64 folder now contains the imported drivers. The folder should resemble the following:
@@ -113,7 +167,8 @@ To support Surface Laptop 3 with Intel Processor, import the following folders:
9. Verify that you have configured the remaining Surface Laptop drivers by using either a selection profile or a **DriverGroup001** variable.
- For Surface Laptop (1st Gen), the model is **Surface Laptop**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop folder as shown in the figure that follows this list.
- - For Surface Laptop 2, the model is **Surface Laptop 2**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop 2 folder.
+ - For Surface Laptop 2, the model is **Surface Laptop 2**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop 2 folder.
+ - For Surface Laptop 3 with Intel processor, the model is Surface Laptop 3. The remaining Surface Laptop drivers are located in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop 3 folder.
diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md
index e8a0143aab..50ecb3cb35 100644
--- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md
+++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md
@@ -137,9 +137,9 @@ You can also verify that the device is enrolled in SEMM in Surface UEFI – whil
## Configure Surface UEFI settings with SEMM
-After a device is enrolled in SEMM, you can run Surface UEFI configuration packages signed with the same SEMM certificate to apply new Surface UEFI settings. These settings are applied automatically the next time the device boots, without any interaction from the user. You can use application deployment solutions like System Center Configuration Manager to deploy Surface UEFI configuration packages to Surface devices to change or manage the settings in Surface UEFI.
+After a device is enrolled in SEMM, you can run Surface UEFI configuration packages signed with the same SEMM certificate to apply new Surface UEFI settings. These settings are applied automatically the next time the device boots, without any interaction from the user. You can use application deployment solutions like Microsoft Endpoint Configuration Manager to deploy Surface UEFI configuration packages to Surface devices to change or manage the settings in Surface UEFI.
-For more information about how to deploy Windows Installer (.msi) files with Configuration Manager, see [Deploy and manage applications with System Center Configuration Manager](https://technet.microsoft.com/library/mt627959).
+For more information about how to deploy Windows Installer (.msi) files with Configuration Manager, see [Deploy and manage applications with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627959).
If you have secured Surface UEFI with a password, users without the password who attempt to boot to Surface UEFI will only have the **PC information**, **About**, **Enterprise management**, and **Exit** pages displayed to them.
diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
index 1b1216cd8d..3c05a0d165 100644
--- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md
+++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
@@ -29,13 +29,10 @@ Network deployment to Surface devices can pose some unique challenges for system
Before you can address the concerns of how you will boot to your deployment environment or how devices will be recognized by your deployment solution, you have to use a wired network adapter.
-The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using System Center Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. See the [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) section of this article for more information on potential conflicts with shared adapters.
+The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. See the [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) section of this article for more information on potential conflicts with shared adapters.
Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://www.microsoft.com/surface/accessories/surface-dock) use a chipset that is compatible with the Surface firmware.
-> [!NOTE]
-> PXE boot is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
-
The following Ethernet devices are supported for network boot with Surface devices:
- Surface USB-C to Ethernet and USB 3.0 Adapter
diff --git a/devices/surface/get-started.md b/devices/surface/get-started.md
index af2bc13af9..c81e994d70 100644
--- a/devices/surface/get-started.md
+++ b/devices/surface/get-started.md
@@ -46,9 +46,10 @@ Harness the power of Surface, Windows, and Office connected together through the
diff --git a/devices/surface/images/fig1-downloads-msi.png b/devices/surface/images/fig1-downloads-msi.png
new file mode 100644
index 0000000000..4d8b1410ff
Binary files /dev/null and b/devices/surface/images/fig1-downloads-msi.png differ
diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
index e43a14a63b..2631b5f837 100644
--- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
+++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
@@ -28,12 +28,12 @@ low power idle state (S0ix).
To ensure Surface devices across your organization fully benefit from Surface power optimization features:
-- Install the latest drivers and firmware from Windows Update or the Surface Driver and Firmware MSI. This creates the balanced power plan (aka power profile) by default and configures optimal power settings. For more information, refer to [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+- Install the latest drivers and firmware from Windows Update or the Surface Driver and Firmware MSI. This creates the balanced power plan (aka power profile) by default and configures optimal power settings. For more information, refer to [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md).
- Avoid creating custom power profiles or adjusting advanced power settings not visible in the default UI (**System** > **Power & sleep**).
- If you must manage the power profile of devices across your network (such as in highly managed organizations), use the powercfg command tool to export the power plan from the factory image of the Surface device and then import it into the provisioning package for your Surface devices.
->[!NOTE]
->You can only export a power plan across the same type of Surface device. For example, you cannot export a power plan from Surface Laptop and import it on Surface Pro. For more information, refer to [Configure power settings](https://docs.microsoft.com/windows-hardware/customize/power-settings/configure-power-settings).
+ >[!NOTE]
+ >You can only export a power plan across the same type of Surface device. For example, you cannot export a power plan from Surface Laptop and import it on Surface Pro. For more information, refer to [Configure power settings](https://docs.microsoft.com/windows-hardware/customize/power-settings/configure-power-settings).
- Exclude Surface devices from any existing power management policy settings.
@@ -166,7 +166,7 @@ To learn more, see:
| Check app usage | Your apps | Close apps.|
| Check your power cord for any damage.| Your power cord | Replace power cord if worn or damaged.|
-# Learn more
+## Learn more
- [Modern
standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-wake-sources)
@@ -178,4 +178,4 @@ To learn more, see:
- [Battery
saver](https://docs.microsoft.com/windows-hardware/design/component-guidelines/battery-saver)
-- [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
+- [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
diff --git a/devices/surface/manage-surface-driver-and-firmware-updates.md b/devices/surface/manage-surface-driver-and-firmware-updates.md
index 7f470ab3ac..df0d5c2874 100644
--- a/devices/surface/manage-surface-driver-and-firmware-updates.md
+++ b/devices/surface/manage-surface-driver-and-firmware-updates.md
@@ -1,6 +1,6 @@
---
-title: Manage Surface driver and firmware updates (Surface)
-description: This article describes the available options to manage firmware and driver updates for Surface devices.
+title: Manage and deploy Surface driver and firmware updates
+description: This article describes the available options to manage and deploy firmware and driver updates for Surface devices.
ms.assetid: CD1219BA-8EDE-4BC8-BEEF-99B50C211D73
ms.reviewer:
manager: dansimp
@@ -14,52 +14,143 @@ author: dansimp
ms.author: dansimp
ms.topic: article
ms.audience: itpro
-ms.date: 10/21/2019
+ms.date: 01/24/2020
---
-# Manage Surface driver and firmware updates
+# Manage and deploy Surface driver and firmware updates
+
-This article describes the available options that you can use to manage firmware and driver updates for Surface devices including Surface Pro 3 and later.
-
-To see a list of the available downloads for Surface devices and links to download the drivers and firmware for your device, see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
-
-On Surface devices, the firmware is exposed to the operating system as a driver and is visible in Device Manager. This design allows a Surface device firmware to be automatically updated along with all drivers through Windows Update. This mechanism provides a seamless, automatic experience for receiving the latest firmware and driver updates. Although automatic updating is easy for end users, updating firmware and drivers automatically may not always be appropriate for organizations and businesses. In cases where you strictly manage updates or when you deploy a new operating system to a Surface device, automatic updates from Windows Update may not be appropriate.
-
-## Methods for deploying firmware
-
-Windows Update automatically provides firmware for computers that receive updates directly from Microsoft. However, in environments where Windows Server Update Services (WSUS) manages updates, Windows Update cannot update the firmware. For managed environments, there are a number of options you can use to deploy firmware updates.
-
-### Windows Update
-
-The simplest solution to ensure that firmware on Surface devices in your organization is kept up to date is to allow Surface devices to receive updates directly from Microsoft. You can implement this solution easily by excluding Surface devices from Group Policy that directs computers to receive updates from WSUS.
-
-Although this solution ensures that firmware will be updated as new releases are made available to Windows Update, it does present potential drawbacks. Each Surface device that receives updates from Windows Update downloads each update independently from Microsoft instead of accessing a central location. These operations increase demand on Internet connectivity and bandwidth. Additionally, such updates are not subjected to testing or review by administrators.
-
-For details about Group Policy for client configuration of WSUS or Windows Update, see [Step 4: Configure Group Policy Settings for Automatic Updates](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates).
-
-### Windows Installer Package
-
-Surface driver and firmware updates are packaged as Windows Installer (MSI) files. To deploy these Windows Installer packages, you can use application deployment utilities such as the Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager. Such solutions provide the means for administrators to test and review updates before deploying them, and to centralize deployment. For each device, it is important to select the correct MSI file for the device and its operating system. For more information see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
-
-For instructions on how to deploy updates by using Endpoint Configuration Manager (formerly System Center Configuration Manager), refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt).
+How you manage Surface driver and firmware updates varies depending on your environment and organizational requirements. On Surface devices, firmware is exposed to the operating system as a driver and is visible in Device Manager, enabling device firmware and drivers to be automatically updated using Windows Update or Windows Update for Business. Although this simplified approach may be feasible for startups and small or medium-sized businesses, larger organizations typically need IT admins to distributing updates internally. This may involve comprehensive planning, application compatibility testing, piloting and validating updates, before final approval and distribution across the network.
> [!NOTE]
-> You can deploy applications separately from an operating system deployment through MDT by using a Post OS Installation task sequence.
+> This article is intended for technical support agents and IT professionals and applies to Surface devices only. If you're looking for help to install Surface updates or firmware on a home device, see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505).
+
+While enterprise-grade software distribution solutions continue to evolve, the business rationale for centrally managing updates remains the same: Maintain the security of Surface devices and keep them updated with the latest operating system and feature improvements. This is essential for maintaining the stability of your production environment and enabling users to stay productive. This article provides an overview of recommended tools and processes for larger organizations to accomplish these goals.
-### Microsoft System Center Configuration Manager
+## Central update management in commercial environments
-Starting in Microsoft System Center Configuration Manager version 1710, you can synchronize and deploy Microsoft Surface firmware and driver updates by using the Configuration Manager client. The process resembles that for deploying regular updates. For additional information, see KB 4098906, [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager).
+Microsoft has streamlined tools for managing devices – including driver and firmware updates -- into a single unified experience called [Microsoft Endpoint Manager admin center](https://devicemanagement.microsoft.com/) accessed from devicemanagement.microsoft.com.
-## Considerations when deploying updates and operating systems together
+### Manage updates with Configuration Manager and Intune
-The process of deploying firmware updates during an operating system deployment is straightforward. You can import the firmware and driver pack into either System Center Configuration Manager or MDT, and use them to deploy a fully updated environment to a target Surface device, complete with firmware. For a complete step-by-step guide to using MDT to deploy Windows to a Surface device, see [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](deploy-windows-10-to-surface-devices-with-mdt.md).
+Microsoft Endpoint Configuration Manager allows you to synchronize and deploy Surface firmware and driver updates with the Configuration Manager client. Integration with Microsoft Intune lets you see all your managed, co-managed and partner-managed devices in one place. This is the recommended solution for large organizations to manage Surface updates.
+
+For detailed steps, see the following resources:
-> [!IMPORTANT]
-> Select the correct MSI file for each specific device and its operating system. For more information, see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager)
+- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications).
+- [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/)
+
+
+### Manage updates with Microsoft Deployment Toolkit
+
+Included in Microsoft Endpoint Configuration Manager, the Microsoft Deployment Toolkit (MDT) contains optional deployment tools that you may wish to use depending on your environment. MDT includes the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), and User State Migration Tool (USMT). You can download the latest version of MDT from the [Microsoft Deployment Toolkit download page](https://www.microsoft.com/download/details.aspx?id=54259).
+
+For detailed steps, see the following resources:
+
+Surface driver and firmware updates are packaged as Windows Installer (MSI) files. To deploy these Windows Installer packages, you can use application deployment utilities such as the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. Such solutions provide the means for administrators to test and review updates before deploying them, and to centralize deployment. For each device, it is important to select the correct MSI file for the device and its operating system. For more information see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+
+For instructions on how to deploy updates by using Microsoft Endpoint Configuration Manager refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt).
+- [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/)
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit)
+- [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://docs.microsoft.com/surface/deploy-windows-10-to-surface-devices-with-mdt)
**WindowsPE and Surface firmware and drivers**
-System Center Configuration Manager and MDT both use the Windows Preinstallation Environment (WindowsPE) during the deployment process. WindowsPE only supports a limited set of basic drivers such as those for network adapters and storage controllers. Drivers for Windows components that are not part of WindowsPE might produce errors. As a best practice, you can prevent such errors by configuring the deployment process to use only the required drivers during the WindowsPE phase.
+Microsoft Endpoint Configuration Manager and MDT both use the Windows Preinstallation Environment (WindowsPE) during the deployment process. WindowsPE only supports a limited set of basic drivers such as those for network adapters and storage controllers. Drivers for Windows components that are not part of WindowsPE might produce errors. As a best practice, you can prevent such errors by configuring the deployment process to use only the required drivers during the WindowsPE phase.
+### Microsoft Endpoint Configuration Manager
+
+Starting in Microsoft Endpoint Configuration Manager, you can synchronize and deploy Microsoft Surface firmware and driver updates by using the Configuration Manager client. The process resembles that for deploying regular updates. For additional information, see KB 4098906, [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager).
## Supported devices
Downloadable MSI files are available for Surface devices from Surface Pro 2 and later. Information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release.
+
+
+## Managing firmware with DFCI
+With Device Firmware Configuration Interface (DFCI) profiles built into Intune (now available in [public preview](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows)), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. For more information, see:
+
+
+- [Intune management of Surface UEFI settings](https://docs.microsoft.com/surface/surface-manage-dfci-guide)
+- [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333).
+
+## Best practices for update deployment processes
+
+To maintain a stable environment and keep users productive, it’s strongly recommended to maintain parity with the most recent version of Windows 10. For best practice recommendations, see [Build deployment rings for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates).
+
+## Downloadable Surface update packages
+
+Specific versions of Windows 10 have separate .msi files, each containing all required cumulative driver and firmware updates for Surface devices. Update packages may include some or all of the following components:
+
+- Wi-Fi and LTE
+- Video
+- Solid state drive
+- System aggregator module (SAM)
+- Battery
+- Keyboard controller
+- Embedded controller (EC)
+- Management engine (ME)
+- Unified extensible firmware interface (UEFI)
+
+
+### Downloading .msi files
+1. Browse to [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) on the Microsoft Download Center.
+2. Select the .msi file name that matches the Surface model and version of Windows. The .msi file name includes the minimum supported Windows build number required to install the drivers and firmware. For example, as shown in the following figure, to update a Surface Book 2 with build 18362 of Windows 10, choose **SurfaceBook2_Win10_18362_19.101.13994.msi.** For a Surface Book 2 with build 16299 of Windows 10, choose **SurfaceBook2_Win10_16299_1803509_3.msi**.
+
+ 
+
+ *Figure 1. Downloading Surface updates*
+
+
+### Surface .msi naming convention
+Since August 2019, .msi files have used the following naming convention:
+
+- *Product*_*Windows release*_*Windows build number*_*Version number*_*Revision of version number (typically zero)*.
+
+**Example**
+
+- SurfacePro6_Win10_18362_19.073.44195_0.msi
+
+This file name provides the following information:
+
+- **Product:** SurfacePro6
+- **Windows release:** Win10
+- **Build:** 18362
+- **Version:** 19.073.44195 – This shows the date and time that the file was created, as follows:
+ - **Year:** 19 (2019)
+ - **Month and week:** 073 (third week of July)
+ - **Minute of the month:** 44195
+- **Revision of version:** 0 (first release of this version)
+
+### Legacy Surface .msi naming convention
+Legacy .msi files (files built before August 2019) followed the same overall naming formula but used a different method to derive the version number.
+ ****
+**Example**
+
+- SurfacePro6_Win10_16299_1900307_0.msi
+
+This file name provides the following information:
+
+- **Product:** SurfacePro6
+- **Windows release:** Win10
+- **Build:** 16299
+- **Version:** 1900307 – This shows the date that the file was created and its position in the release sequence, as follows:
+ - **Year:** 19 (2019)
+ - **Number of release:** 003 (third release of the year)
+ - **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro)
+- **Revision of version:** 0 (first release of this version)
+
+
+
+## Learn more
+
+- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware)
+- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager)
+- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications).
+- [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/)
+- [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/)
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit)
+- [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://docs.microsoft.com/surface/deploy-windows-10-to-surface-devices-with-mdt)
+- [Intune management of Surface UEFI settings](https://docs.microsoft.com/surface/surface-manage-dfci-guide)
+- [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333).
+- [Build deployment rings for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates)
+
diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md
index 7fbd031cf5..8fbc32d7df 100644
--- a/devices/surface/microsoft-surface-deployment-accelerator.md
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@@ -80,7 +80,7 @@ For environments where the SDA server will not be able to connect to the Interne
*Figure 2. Specify a local source for Surface driver and app files*
-You can find a full list of available driver downloads at [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
+You can find a full list of available driver downloads at [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
>[!NOTE]
>Downloaded files do not need to be extracted. The downloaded files can be left as .zip files as long as they are stored in one folder.
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index 488bd63a15..04d78253ee 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -328,7 +328,7 @@ The **2 – Create Windows Reference Image** task sequence is used to perform a
Like the **1 – Deploy Microsoft Surface** task sequence, the **2 – Create Windows Reference Image** task sequence performs a deployment of the unaltered Windows image directly from the installation media. Creation of a reference image should always be performed on a virtual machine. Using a virtual machine as your reference system helps to ensure that the resulting image is compatible with different hardware configurations.
>[!NOTE]
->Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt).
+>Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and Microsoft Endpoint Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt).
In addition to the information required by the **1 – Deploy Microsoft Surface** task sequence, you will also be prompted to capture an image when you run this task sequence on your reference virtual machine. The **Location** and **File name** fields are automatically populated with the proper information for your deployment share. All that you need to do is select the **Capture an image of this reference computer** option when you are prompted on the **Capture Image** page of the Windows Deployment Wizard.
diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
index 51e39c27a3..d57966b6cf 100644
--- a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
+++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
@@ -61,4 +61,4 @@ Before you choose to use Windows 10 Enterprise LTSC edition on Surface devices,
Surface devices running Windows 10 Enterprise LTSC edition will not receive new features. In many cases these features are requested by customers to improve the usability and capabilities of Surface hardware. For example, new improvements for High DPI applications in Windows 10, version 1703. Customers that use Surface devices in the LTSC configuration will not see the improvements until they either update to a new Windows 10 Enterprise LTSC release or upgrade to a version of Windows 10 with support for the SAC servicing option.
-Devices can be changed from Windows 10 Enterprise LTSC to a more recent version of Windows 10 Enterprise, with support for the SAC servicing option, without the loss of user data by performing an upgrade installation. You can also perform an upgrade installation on multiple devices by leveraging the Upgrade Task Sequence Templates available in the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. For more information, see [Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/upgrade-surface-devices-to-windows-10-with-mdt).
+Devices can be changed from Windows 10 Enterprise LTSC to a more recent version of Windows 10 Enterprise, with support for the SAC servicing option, without the loss of user data by performing an upgrade installation. You can also perform an upgrade installation on multiple devices by leveraging the Upgrade Task Sequence Templates available in the Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. For more information, see [Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/upgrade-surface-devices-to-windows-10-with-mdt).
diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md
index f1e3460df4..6ea9d9ac55 100644
--- a/devices/surface/surface-diagnostic-toolkit-command-line.md
+++ b/devices/surface/surface-diagnostic-toolkit-command-line.md
@@ -43,7 +43,7 @@ Command | Notes
>[!NOTE]
->To run the SDT app console remotely on target devices, you can use a configuration management tool such as System Center Configuration Manager. Alternatively, you can create a .zip file containing the console app and appropriate console commands and deploy per your organization’s software distribution processes.
+>To run the SDT app console remotely on target devices, you can use a configuration management tool such as Microsoft Endpoint Configuration Manager. Alternatively, you can create a .zip file containing the console app and appropriate console commands and deploy per your organization’s software distribution processes.
## Running Best Practice Analyzer
diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md
index 751ea36a4d..dc3e5b41f0 100644
--- a/devices/surface/surface-dock-firmware-update.md
+++ b/devices/surface/surface-dock-firmware-update.md
@@ -43,7 +43,7 @@ If preferred, you can manually complete the update as follows:
## Network deployment
-You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firmware Update to multiple devices across your network. When using System Center Configuration Manager or other deployment tool, enter the following syntax to ensure the installation is silent:
+You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firmware Update to multiple devices across your network. When using Microsoft Endpoint Configuration Manager or other deployment tool, enter the following syntax to ensure the installation is silent:
- **Msiexec.exe /i /quiet /norestart**
diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index 81b911bb6f..52e193b6dd 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -25,7 +25,7 @@ Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devi
When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM.
-There are two administrative options you can use to manage SEMM and enrolled Surface devices – a standalone tool or integration with System Center Configuration Manager. The SEMM standalone tool, called the Microsoft Surface UEFI Configurator, is described in this article. For more information about how to manage SEMM with System Center Configuration Manager, see [Use System Center Configuration Manager to manage devices with SEMM](https://technet.microsoft.com/itpro/surface/use-system-center-configuration-manager-to-manage-devices-with-semm).
+There are two administrative options you can use to manage SEMM and enrolled Surface devices – a standalone tool or integration with Microsoft Endpoint Configuration Manager. The SEMM standalone tool, called the Microsoft Surface UEFI Configurator, is described in this article. For more information about how to manage SEMM with Microsoft Endpoint Configuration Manager, see [Use Microsoft Endpoint Configuration Manager to manage devices with SEMM](https://technet.microsoft.com/itpro/surface/use-system-center-configuration-manager-to-manage-devices-with-semm).
## Microsoft Surface UEFI Configurator
@@ -124,7 +124,7 @@ These characters are the last two characters of the certificate thumbprint and s
>6. **All** or **Properties Only** must be selected in the **Show** drop-down menu.
>7. Select the field **Thumbprint**.
-To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file with administrative privileges on the intended Surface device. You can use application deployment or operating system deployment technologies such as [System Center Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM.
+To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file with administrative privileges on the intended Surface device. You can use application deployment or operating system deployment technologies such as [Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM.
For a step-by-step walkthrough of how to enroll a Surface device in SEMM or apply a Surface UEFI configuration with SEMM, see [Enroll and configure Surface devices with SEMM](https://technet.microsoft.com/itpro/surface/enroll-and-configure-surface-devices-with-semm).
diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md
index 26e145c547..fd98f72368 100644
--- a/devices/surface/surface-pro-arm-app-management.md
+++ b/devices/surface/surface-pro-arm-app-management.md
@@ -8,7 +8,7 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
-ms.date: 11/20/2019
+ms.date: 1/22/2020
ms.reviewer: jessko
manager: dansimp
ms.audience: itpro
@@ -73,7 +73,7 @@ Surface Pro X was designed to use Windows Update to simplify the process of keep
- Use Windows Update or Windows Update for Business for maintaining the latest drivers and firmware. For more information, see [Deploy Updates using Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb).
- If your procedures require using a Windows Installer .msi file, contact [Surface for Business support](https://support.microsoft.com/help/4037645).
-- For more information about deploying and managing updates on Surface devices, see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+- For more information about deploying and managing updates on Surface devices, see [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md).
- Note that Windows Server Update Services (WSUS) does not support the ability to deliver drivers and firmware to Surface Pro X.
## Running apps on Surface Pro X
@@ -124,7 +124,7 @@ The following tables show the availability of selected key features on Surface P
| Deployment | Surface Pro 7 | Surface Pro X | Notes |
| --------------------------------------- | ------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------- |
| Windows Autopilot | Yes | Yes | |
-| Support for Network Boot (PXE) | Yes | Yes | |
+| Support for Network Boot (PXE) | Yes | No | |
| Windows Configuration Designer | Yes | No | Not recommended for Surface Pro X. |
| WinPE | Yes | Yes | Not recommended for Surface Pro X. Microsoft does not provide the necessary .ISO and drivers to support WinPE with Surface Pro X. |
| Endpoint Configuration Manager: Operating System Deployment (OSD) | Yes | No | Not supported on Surface Pro X. |
diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md
index cb201c332e..dbcb9648b0 100644
--- a/devices/surface/surface-system-sku-reference.md
+++ b/devices/surface/surface-system-sku-reference.md
@@ -66,7 +66,7 @@ You can also find the System SKU and System Model for a device in **System Infor
1. Select **System Information**.
**Using the SKU in a task sequence WMI condition**
-You can use the System SKU information in the Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager as part of a task sequence WMI condition.
+You can use the System SKU information in the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager as part of a task sequence WMI condition.
``` powershell
- WMI Namespace – Root\WMI
diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
index 09000265e6..0cf1ab9bda 100644
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@@ -20,7 +20,7 @@ ms.audience: itpro
The Microsoft Surface Enterprise Management Mode (SEMM) feature of Surface UEFI devices lets administrators manage and help secure the configuration of Surface UEFI settings. For most organizations, this process is accomplished by creating Windows Installer (.msi) packages with the Microsoft Surface UEFI Configurator tool. These packages are then run or deployed to the client Surface devices to enroll the devices in SEMM and to update the Surface UEFI settings configuration.
-For organizations with Endpoint Configuration Manager (formerly known as System Center Configuration Manager or SCCM), there is an alternative to using the Microsoft Surface UEFI Configurator .msi process to deploy and administer SEMM. Microsoft Surface UEFI Manager is a lightweight installer that makes required assemblies for SEMM management available on a device. By installing these assemblies with Microsoft Surface UEFI Manager on a managed client, SEMM can be administered by Configuration Manager with PowerShell scripts, deployed as applications. With this process, SEMM management is performed within Configuration Manager, which eliminates the need for the external Microsoft Surface UEFI Configurator tool.
+For organizations with Microsoft Endpoint Configuration Manager there is an alternative to using the Microsoft Surface UEFI Configurator .msi process to deploy and administer SEMM. Microsoft Surface UEFI Manager is a lightweight installer that makes required assemblies for SEMM management available on a device. By installing these assemblies with Microsoft Surface UEFI Manager on a managed client, SEMM can be administered by Configuration Manager with PowerShell scripts, deployed as applications. With this process, SEMM management is performed within Configuration Manager, which eliminates the need for the external Microsoft Surface UEFI Configurator tool.
> [!Note]
> Although the process described in this article may work with earlier versions of Endpoint Configuration Manager or with other third-party management solutions, management of SEMM with Microsoft Surface UEFI Manager and PowerShell is supported only with the Current Branch of Endpoint Configuration Manager.
diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md
index 00ad750ca8..53ff389c02 100644
--- a/devices/surface/wake-on-lan-for-surface-devices.md
+++ b/devices/surface/wake-on-lan-for-surface-devices.md
@@ -18,7 +18,7 @@ ms.audience: itpro
# Wake On LAN for Surface devices
-Surface devices that run Windows 10, version 1607 (also known as Windows 10 Anniversary Update) or later and use a Surface Ethernet adapter to connect to a wired network, are capable of Wake On LAN (WOL) from Connected Standby. With WOL, you can remotely wake up devices to perform management or maintenance tasks or enable management solutions (such as System Center Configuration Manager) automatically. For example, you can deploy applications to Surface devices left docked with a Surface Dock or Surface Pro 3 Docking Station by using System Center Configuration Manager during a window in the middle of the night, when the office is empty.
+Surface devices that run Windows 10, version 1607 (also known as Windows 10 Anniversary Update) or later and use a Surface Ethernet adapter to connect to a wired network, are capable of Wake On LAN (WOL) from Connected Standby. With WOL, you can remotely wake up devices to perform management or maintenance tasks or enable management solutions (such as Microsoft Endpoint Configuration Manager) automatically. For example, you can deploy applications to Surface devices left docked with a Surface Dock or Surface Pro 3 Docking Station by using Microsoft Endpoint Configuration Manager during a window in the middle of the night, when the office is empty.
>[!NOTE]
>Surface devices must be connected to AC power and in Connected Standby (Sleep) to support WOL. WOL is not possible from devices that are in hibernation or powered off.
@@ -51,7 +51,7 @@ The following devices are supported for WOL:
To enable WOL support on Surface devices, a specific driver for the Surface Ethernet adapter is required. This driver is not included in the standard driver and firmware pack for Surface devices – you must download and install it separately. You can download the Surface WOL driver (SurfaceWOL.msi) from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
-You can run this Microsoft Windows Installer (.msi) file on a Surface device to install the Surface WOL driver, or you can distribute it to Surface devices with an application deployment solution, such as System Center Configuration Manager. To include the Surface WOL driver during deployment, you can install the .msi file as an application during the deployment process. You can also extract the Surface WOL driver files to include them in the deployment process. For example, you can include them in your Microsoft Deployment Toolkit (MDT) deployment share. You can read more about Surface deployment with MDT in [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/deploy-windows-10-to-surface-devices-with-mdt).
+You can run this Microsoft Windows Installer (.msi) file on a Surface device to install the Surface WOL driver, or you can distribute it to Surface devices with an application deployment solution, such as Microsoft Endpoint Configuration Manager. To include the Surface WOL driver during deployment, you can install the .msi file as an application during the deployment process. You can also extract the Surface WOL driver files to include them in the deployment process. For example, you can include them in your Microsoft Deployment Toolkit (MDT) deployment share. You can read more about Surface deployment with MDT in [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/deploy-windows-10-to-surface-devices-with-mdt).
> [!NOTE]
> During the installation of SurfaceWOL.msi, the following registry key is set to a value of 1, which allows easy identification of systems where the WOL driver has been installed. If you chose to extract and install these drivers separately during deployment, this registry key will not be configured and must be configured manually or with a script.
@@ -89,7 +89,7 @@ The Surface WOL driver conforms to the WOL standard, whereby the device is woken
>[!NOTE]
>To send a magic packet and wake up a device by using WOL, you must know the MAC address of the target device and Ethernet adapter. Because the magic packet does not use the IP network protocol, it is not possible to use the IP address or DNS name of the device.
-Many management solutions, such as System Center Configuration Manager, provide built-in support for WOL. There are also many solutions, including Microsoft Store apps, PowerShell modules, third-party applications, and third-party management solutions that allow you to send a magic packet to wake up a device. For example, you can use the [Wake On LAN PowerShell module](https://gallery.technet.microsoft.com/scriptcenter/Wake-On-Lan-815424c4) from the TechNet Script Center.
+Many management solutions, such as Configuration Manager, provide built-in support for WOL. There are also many solutions, including Microsoft Store apps, PowerShell modules, third-party applications, and third-party management solutions that allow you to send a magic packet to wake up a device. For example, you can use the [Wake On LAN PowerShell module](https://gallery.technet.microsoft.com/scriptcenter/Wake-On-Lan-815424c4) from the TechNet Script Center.
>[!NOTE]
>After a device has been woken up with a magic packet, the device will return to sleep if an application is not actively preventing sleep on the system or if the AllowSystemRequiredPowerRequests registry key is not configured to 1, which allows applications to prevent sleep. See the [WOL driver](#wol-driver) section of this article for more information about this registry key.
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 051954b11f..cbbdb3502b 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -457,7 +457,7 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid
X
-
Use System Center 2012 R2 Configuration Manager for management
+
Use Microsoft Endpoint Configuration Manager for management
X
X
@@ -493,7 +493,7 @@ You may ask the question, “Why plan for device, user, and app management befor
Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device.
-Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, System Center Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan.
+Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, Microsoft Endpoint Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan.
Table 6. Device, user, and app management products and technologies
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 35146fcace..c081cfa696 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -1,6 +1,6 @@
---
title: Deploy Windows 10 in a school district (Windows 10)
-description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use System Center Configuration Manager, Intune, and Group Policy to manage devices.
+description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Endpoint Configuration Manager, Intune, and Group Policy to manage devices.
keywords: configure, tools, device, school district, deploy Windows 10
ms.prod: w10
ms.mktglfcycl: plan
@@ -20,7 +20,7 @@ manager: dansimp
- Windows 10
-This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft System Center Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system.
+This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system.
## Prepare for district deployment
@@ -99,9 +99,9 @@ Now that you have the plan (blueprint) for your district and individual schools
The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
-You can use MDT as a stand-alone tool or integrate it with System Center Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with System Center Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as System Center Configuration Manager) but result in fully automated deployments.
+You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
-This guide focuses on LTI deployments to deploy the reference device. You can use ZTI deployments with System Center Configuration Manager or LTI deployments to deploy the reference images to your faculty and student devices. If you want to only use MDT, see [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school).
+This guide focuses on LTI deployments to deploy the reference device. You can use ZTI deployments with Configuration Manager or LTI deployments to deploy the reference images to your faculty and student devices. If you want to only use MDT, see [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school).
MDT includes the Deployment Workbench, a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices.
@@ -109,11 +109,11 @@ LTI performs deployment from a *deployment share* — a network-shared folder on
The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
-ZTI performs fully automated deployments using System Center Configuration Manager and MDT. Although you could use System Center Configuration Manager by itself, using System Center Configuration Manager with MDT provides an easier process for deploying operating systems. MDT works with the operating system deployment feature in System Center Configuration Manager.
+ZTI performs fully automated deployments using Configuration Manager and MDT. Although you could use Configuration Manager by itself, using Configuration Manager with MDT provides an easier process for deploying operating systems. MDT works with the operating system deployment feature in Configuration Manager.
The configuration process requires the following devices:
-* **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the System Center Configuration Manager Console on this device.
+* **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the Configuration Manager Console on this device.
* **Reference devices.** These are the devices that you will use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices.
You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all).
* **Faculty and staff devices.** These are the devices that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices.
@@ -133,7 +133,7 @@ The high-level process for deploying and configuring devices within individual c
6. On the reference devices, deploy Windows 10 and the Windows desktop apps on the device, and then capture the reference image from the devices.
-7. Import the captured reference images into MDT or System Center Configuration Manager.
+7. Import the captured reference images into MDT or Microsoft Endpoint Configuration Manager.
8. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
@@ -160,9 +160,9 @@ Before you select the deployment and management methods, you need to review the
|Scenario feature |Cloud-centric|On-premises and cloud|
|---|---|---|
|Identity management | Azure AD (stand-alone or integrated with on-premises AD DS) | AD DS integrated with Azure AD |
-|Windows 10 deployment | MDT only | System Center Configuration Manager with MDT |
+|Windows 10 deployment | MDT only | Microsoft Endpoint Configuration Manager with MDT |
|Configuration setting management | Intune | Group Policy
Intune|
-|App and update management | Intune |System Center Configuration Manager
Intune|
*Table 1. Deployment and management scenarios*
@@ -174,14 +174,14 @@ These scenarios assume the need to support:
Some constraints exist in these scenarios. As you select the deployment and management methods for your device, keep the following constraints in mind:
* You can use Group Policy or Intune to manage configuration settings on a device but not both.
-* You can use System Center Configuration Manager or Intune to manage apps and updates on a device but not both.
+* You can use Microsoft Endpoint Configuration Manager or Intune to manage apps and updates on a device but not both.
* You cannot manage multiple users on a device with Intune if the device is AD DS domain joined.
Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district.
### Select the deployment methods
-To deploy Windows 10 and your apps, you can use MDT by itself or System Center Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
+To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
@@ -230,8 +230,8 @@ Select this method when you:
-
System Center Configuration Manager
-
System Center Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use System Center Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
+
Microsoft Endpoint Configuration Manager
+
Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
Select this method when you:
Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
@@ -249,7 +249,7 @@ Select this method when you:
The disadvantages of this method are that it:
-
Carries an additional cost for System Center Configuration Manager server licenses (if the institution does not have System Center Configuration Manager already).
+
Carries an additional cost for Microsoft Endpoint Configuration Manager server licenses (if the institution does not have Configuration Manager already).
Can deploy Windows 10 only to domain-joined (institution-owned devices).
Requires an AD DS infrastructure (if the institution does not have AD DS already).
@@ -265,7 +265,7 @@ Record the deployment methods you selected in Table 3.
|Selection | Deployment method|
|--------- | -----------------|
| |MDT by itself |
-| |System Center Configuration Manager and MDT|
+| |Microsoft Endpoint Configuration Manager and MDT|
*Table 3. Deployment methods selected*
@@ -320,7 +320,7 @@ Select this method when you:
Intune
Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
-Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with System Center Configuration Manager is unavailable.
+Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
Select this method when you:
@@ -364,7 +364,7 @@ Record the configuration setting management methods you selected in Table 5. Alt
#### Select the app and update management products
-For a district, there are many ways to manage apps and software updates. Table 6 lists the products that this guide describes and recommends. Although you could manage updates by using [Windows Updates or Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx), you still need to use System Center Configuration Manager or Intune to manage apps. Therefore, it only makes sense to use one or both of these tools for update management.
+For a district, there are many ways to manage apps and software updates. Table 6 lists the products that this guide describes and recommends. Although you could manage updates by using [Windows Updates or Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx), you still need to Configuration Manager or Intune to manage apps. Therefore, it only makes sense to use one or both of these tools for update management.
Use the information in Table 6 to determine which combination of app and update management products is right for your district.
@@ -382,10 +382,10 @@ Use the information in Table 6 to determine which combination of app and update
-
System Center Configuration Manager
-
System Center Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.
System Center Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using System Center Configuration Manager. You can also manage Windows desktop and Microsoft Store applications.
Select this method when you:
+
Microsoft Endpoint Configuration Manager
+
Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.
Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications.
Select this method when you:
-
Selected System Center Configuration Manager to deploy Windows 10.
+
Selected Configuration Manager to deploy Windows 10.
Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
Want to manage AD DS domain-joined devices.
Have an existing AD DS infrastructure.
@@ -404,7 +404,7 @@ Use the information in Table 6 to determine which combination of app and update
The disadvantages of this method are that it:
-
Carries an additional cost for System Center Configuration Manager server licenses (if the institution does not have System Center Configuration Manager already).
+
Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
Carries an additional cost for Windows Server licenses and the corresponding server hardware.
Can only manage domain-joined (institution-owned devices).
Requires an AD DS infrastructure (if the institution does not have AD DS already).
@@ -441,12 +441,12 @@ Select this method when you:
-
System Center Configuration Manager and Intune (hybrid)
-
System Center Configuration Manager and Intune together extend System Center Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both System Center Configuration Manager and Intune.
-System Center Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using System Center Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
+
Microsoft Endpoint Configuration Manager and Intune (hybrid)
+
Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
+Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
Select this method when you:
-
Selected System Center Configuration Manager to deploy Windows 10.
+
Selected Microsoft Endpoint Configuration Manager to deploy Windows 10.
Want to manage institution-owned and personal devices (does not require that the device be domain joined).
Want to manage domain-joined devices.
Want to manage Azure AD domain-joined devices.
@@ -466,7 +466,7 @@ Select this method when you:
The disadvantages of this method are that it:
-
Carries an additional cost for System Center Configuration Manager server licenses (if the institution does not have System Center Configuration Manager already).
+
Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
Carries an additional cost for Windows Server licenses and the corresponding server hardware.
Carries an additional cost for Intune subscription licenses.
Requires an AD DS infrastructure (if the institution does not have AD DS already).
@@ -483,9 +483,9 @@ Record the app and update management methods that you selected in Table 7.
|Selection | Management method|
|----------|------------------|
-| |System Center Configuration Manager by itself|
+| |Microsoft Endpoint Configuration Manager by itself|
| |Intune by itself|
-| |System Center Configuration Manager and Intune (hybrid mode)|
+| |Microsoft Endpoint Configuration Manager and Intune (hybrid mode)|
*Table 7. App and update management methods selected*
@@ -526,19 +526,19 @@ For more information about how to create a deployment share, see [Step 3-1: Crea
### Install the Configuration Manager console
->**Note** If you selected System Center Configuration Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next.
+>**Note** If you selected Microsoft Endpoint Configuration Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next.
-You can use System Center Configuration Manager to manage Windows 10 deployments, Windows desktop apps, Microsoft Store apps, and software updates. To manage System Center Configuration Manager, you use the Configuration Manager console. You must install the Configuration Manager console on every device you use to manage System Center Configuration Manager (specifically, the admin device). The Configuration Manager console is automatically installed when you install System Center Configuration Manager primary site servers.
+You can use Configuration Manager to manage Windows 10 deployments, Windows desktop apps, Microsoft Store apps, and software updates. To manage Configuration Manager, you use the Configuration Manager console. You must install the Configuration Manager console on every device you use to manage Configuration Manager (specifically, the admin device). The Configuration Manager console is automatically installed when you install Configuration Manager primary site servers.
-For more information about how to install the Configuration Manager console, see [Install System Center Configuration Manager consoles](https://technet.microsoft.com/library/mt590197.aspx#bkmk_InstallConsole).
+For more information about how to install the Configuration Manager console, see [Install Microsoft Endpoint Configuration Manager consoles](https://technet.microsoft.com/library/mt590197.aspx#bkmk_InstallConsole).
### Configure MDT integration with the Configuration Manager console
->**Note** If you selected MDT only to deploy Windows 10 and your apps (and not System Center Configuration Manager) in the [Select the deployment methods](#select-the-deployment-methods) section, then skip this section and continue to the next.
+>**Note** If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Endpoint Configuration Manager) in the [Select the deployment methods](#select-the-deployment-methods) section, then skip this section and continue to the next.
-You can use MDT with System Center Configuration Manager to make ZTI operating system deployment easier. To configure MDT integration with System Center Configuration Manager, run the Configure ConfigMgr Integration Wizard. This wizard is installed when you install MDT.
+You can use MDT with Configuration Manager to make ZTI operating system deployment easier. To configure MDT integration with Configuration Manager, run the Configure ConfigMgr Integration Wizard. This wizard is installed when you install MDT.
-In addition to the admin device, run the Configure ConfigMgr Integration Wizard on each device that runs the Configuration Manager console to ensure that all Configuration Manager console installation can use the power of MDT–System Center Configuration Manager integration.
+In addition to the admin device, run the Configure ConfigMgr Integration Wizard on each device that runs the Configuration Manager console to ensure that all Configuration Manager console installation can use the power of MDT–Configuration Manager integration.
For more information, see [Enable Configuration Manager Console Integration for Configuration Manager](https://technet.microsoft.com/library/dn759415.aspx#EnableConfigurationManagerConsoleIntegrationforConfigurationManager).
@@ -1077,7 +1077,7 @@ At the end of this section, you should know the Windows 10 editions and processo
## Prepare for deployment
-Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and System Center Configuration Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers.
+Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Endpoint Configuration Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers.
### Configure the MDT deployment share
@@ -1120,7 +1120,7 @@ Import device drivers for each device in your institution. For more information
For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.
If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
-If you have Intune or System Center Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune and Deploy and manage apps by using System Center Configuration Manager sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
+If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune and Deploy and manage apps by using Microsoft Endpoint Configuration Manager sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
@@ -1739,10 +1739,10 @@ For more information, see:
Install new or update existing Microsoft Store apps used in the curriculum.
Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
-You can also deploy Microsoft Store apps directly to devices by using Intune, System Center Configuration Manager, or both in a hybrid configuration. For more information, see:
+You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. For more information, see:
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 5fd1f4093a..f582026716 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -88,7 +88,7 @@ Now that you have the plan (blueprint) for your classroom, you’re ready to lea
The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
-You can use MDT as a stand-alone tool or integrate it with Microsoft System Center Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with System Center Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as System Center Configuration Manager) but result in fully automated deployments.
+You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps and migration of user settings on existing devices.
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index c49e6ea21f..c326ec1cba 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -28,7 +28,7 @@ Follow the guidance in this topic to set up Take a Test on multiple PCs.
To configure a dedicated test account on multiple PCs, select any of the following methods:
- [Provisioning package created through the Set up School PCs app](#set-up-a-test-account-in-the-set-up-school-pcs-app)
- [Configuration in Intune for Education](#set-up-a-test-account-in-intune-for-education)
-- [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager)
+- [Mobile device management (MDM) or Microsoft Endpoint Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager)
- [Provisioning package created through Windows Configuration Designer](#set-up-a-test-account-through-windows-configuration-designer)
- [Group Policy to deploy a scheduled task that runs a Powershell script](https://docs.microsoft.com/education/windows/take-a-test-multiple-pcs#create-a-scheduled-task-in-group-policy)
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 4ff027e388..fed3ff8374 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -48,7 +48,7 @@ There are several ways to configure devices for assessments. You can:
- **For multiple PCs**
You can use any of these methods:
- - Mobile device management (MDM) or Microsoft System Center Configuration Manager
+ - Mobile device management (MDM) or Microsoft Endpoint Configuration Manager
- A provisioning package created in Windows Configuration Designer
- Group Policy to deploy a scheduled task that runs a Powershell script
diff --git a/mdop/agpm/resources-for-agpm.md b/mdop/agpm/resources-for-agpm.md
index 3ebc42e3e4..5aa2774df3 100644
--- a/mdop/agpm/resources-for-agpm.md
+++ b/mdop/agpm/resources-for-agpm.md
@@ -19,19 +19,19 @@ ms.date: 08/30/2016
### Documents for download
-- [Advanced Group Policy Management 4.0 documents](https://go.microsoft.com/fwlink/?LinkID=158931)
+- [Advanced Group Policy Management 4.0 documents](https://www.microsoft.com/download/details.aspx?id=13975)
### Microsoft Desktop Optimization Pack resources
-- [Microsoft Desktop Optimization Pack (MDOP) for Software Assurance TechCenter](https://go.microsoft.com/fwlink/?LinkID=159870) (http://www.microsoft.com/technet/mdop): Links to MDOP videos and resources.
+- [Microsoft Desktop Optimization Pack (MDOP) for Software Assurance TechCenter](https://go.microsoft.com/fwlink/?LinkID=159870) (https://www.microsoft.com/technet/mdop): Links to MDOP videos and resources.
- [Enterprise products: MDOP](https://go.microsoft.com/fwlink/?LinkID=160297): Overviews and information about the benefits of applications in MDOP.
### Group Policy resources
-- [Group Policy TechCenter](https://go.microsoft.com/fwlink/?LinkID=145531) (http://www.microsoft.com/grouppolicy): Links to Group Policy documentation, tools, and downloads.
+- [Group Policy TechCenter](https://go.microsoft.com/fwlink/?LinkID=145531) (https://www.microsoft.com/grouppolicy): Links to Group Policy documentation, tools, and downloads.
-- [Group Policy Team Blog](https://go.microsoft.com/fwlink/?LinkID=75192) (http://blogs.technet.com/GroupPolicy): Stay current on the latest news about Group Policy with articles by the Group Policy Team and other experts.
+- [Group Policy Team Blog](https://go.microsoft.com/fwlink/?LinkID=75192) (https://blogs.technet.com/GroupPolicy): Stay current on the latest news about Group Policy with articles by the Group Policy Team and other experts.
- [Group Policy Forum](https://go.microsoft.com/fwlink/?LinkID=145532): Do you have questions about Group Policy or AGPM? You can post your questions to the forum, and receive answers from the experts.
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-45.md b/mdop/appv-v4/about-microsoft-application-virtualization-45.md
index 827934974f..40b58ca9d6 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-45.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-45.md
@@ -27,7 +27,7 @@ Formerly known as SoftGrid Application Virtualization, Microsoft Application Vir
2. Application Virtualization Streaming Server, a lightweight version which also ships as part of the Microsoft Desktop Optimization Pack and Microsoft Application Virtualization for Remote Desktop Services packages, offers application streaming including package and active upgrades without the Active Directory Domain Services and database overheads, and enables administrators to deploy to existing servers or add streaming to Electronic Software Delivery (ESD) systems.
- 3. Standalone mode enables virtual applications to run without streaming and is interoperable with Microsoft Systems Management Server and System Center Configuration Manager 2007 and third-party ESD systems.
+ 3. Standalone mode enables virtual applications to run without streaming and is interoperable with Microsoft Endpoint Configuration Manager and third-party ESD systems.
- Globalization: The product is localized across 11 languages, includes support for foreign language applications that use special characters, and supports foreign language Active Directory and servers and runtime locale detection.
diff --git a/mdop/appv-v4/app-v-upgrade-checklist.md b/mdop/appv-v4/app-v-upgrade-checklist.md
index 942fa32de6..b81818e567 100644
--- a/mdop/appv-v4/app-v-upgrade-checklist.md
+++ b/mdop/appv-v4/app-v-upgrade-checklist.md
@@ -69,7 +69,7 @@ Before trying to upgrade to Microsoft Application Virtualization (App-V) 4.5 or
- Any virtual application packages sequenced in version 4.2 will not have to be sequenced again for use with version 4.5. However, you should consider upgrading the virtual packages to the Microsoft Application Virtualization 4.5 format if you want to apply default access control lists (ACLs) or generate a Windows Installer file. This is a simple process and requires only that the existing virtual application package be opened and saved with the App-V 4.5 Sequencer. This can be automated by using the App-VSequencer command-line interface. For more information, see [How to Create or Upgrade Virtual Applications Using the App-V Sequencer](how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md)
-- One of the features of the 4.5 Sequencer is the ability to create Windows Installer (.msi) files as control points for virtual application package interoperability with electronic software distribution (ESD) systems, such as Microsoft System Center Configuration Manager 2007. Previous Windows Installer files created with the MSI tool for Application Virtualization that were installed on a App-V 4.1 or 4.2 client that is subsequently upgraded to App-V 4.5 will continue to work, although they cannot be installed on the App-V 4.5 client. However, they cannot be removed or upgraded unless they are upgraded in the App-V 4.5 Sequencer. The original App-V package earlier than 4.5 has to be opened in the App-V 4.5 Sequencer and then saved as a Windows Installer File.
+- One of the features of the 4.5 Sequencer is the ability to create Windows Installer (.msi) files as control points for virtual application package interoperability with electronic software distribution (ESD) systems, such as Microsoft Endpoint Configuration Manager. Previous Windows Installer files created with the MSI tool for Application Virtualization that were installed on a App-V 4.1 or 4.2 client that is subsequently upgraded to App-V 4.5 will continue to work, although they cannot be installed on the App-V 4.5 client. However, they cannot be removed or upgraded unless they are upgraded in the App-V 4.5 Sequencer. The original App-V package earlier than 4.5 has to be opened in the App-V 4.5 Sequencer and then saved as a Windows Installer File.
**Note**
If the App-V 4.2 Client has already been upgraded to App-V 4.5, it is possible to script a workaround to preserve the version 4.2 packages on version 4.5 clients and allow them to be managed. This script must copy two files, msvcp71.dll and msvcr71.dll, to the App-V installation folder and set the following registry key values under the registry key:\[HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Configuration\]:
diff --git a/mdop/appv-v4/determine-your-streaming-method.md b/mdop/appv-v4/determine-your-streaming-method.md
index eac83fa0c2..0033aa3003 100644
--- a/mdop/appv-v4/determine-your-streaming-method.md
+++ b/mdop/appv-v4/determine-your-streaming-method.md
@@ -24,7 +24,7 @@ The first time that a user double-clicks the icon that has been placed on a comp
-The streaming source location is usually a server that is accessible by the user’s computer; however, some electronic distribution systems, such as Microsoft System Center Configuration Manager, can distribute the SFT file to the user’s computer and then stream the virtual application package locally from that computer’s cache.
+The streaming source location is usually a server that is accessible by the user’s computer; however, some electronic distribution systems, such as Microsoft Endpoint Configuration Manager, can distribute the SFT file to the user’s computer and then stream the virtual application package locally from that computer’s cache.
**Note**
A streaming source location for virtual packages can be set up on a computer that is not a server. This is especially useful in a small branch office that has no server.
diff --git a/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md b/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
index 6173dbdd7a..ebdfacc6c9 100644
--- a/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
+++ b/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
@@ -20,7 +20,7 @@ ms.date: 08/30/2016
If you plan to use an electronic software distribution (ESD) solution to deploy virtual applications, it is important to understand the factors that go into and are affected by that decision. This topic describes the benefits of using an ESD-based scenario and provides information about the publishing and package streaming methods that you will need to consider as you proceed with your deployment.
**Important**
-Whichever ESD solution you use, you must be familiar with the requirements of your particular solution. If you are using System Center Configuration Manager 2007 R2 or later, see the System Center Configuration Manager documentation at .
+Whichever ESD solution you use, you must be familiar with the requirements of your particular solution. If you are using Microsoft Endpoint Configuration Manager, see the Configuration Manager documentation at .
diff --git a/mdop/appv-v4/overview-of-application-virtualization.md b/mdop/appv-v4/overview-of-application-virtualization.md
index e5ebe91ee2..356e53e996 100644
--- a/mdop/appv-v4/overview-of-application-virtualization.md
+++ b/mdop/appv-v4/overview-of-application-virtualization.md
@@ -21,7 +21,7 @@ Microsoft Application Virtualization (App-V) can make applications available to
The App-V client is the feature that lets the end user interact with the applications after they have been published to the computer. The client manages the virtual environment in which the virtualized applications run on each computer. After the client has been installed on a computer, the applications must be made available to the computer through a process known as *publishing*, which enables the end user to run the virtual applications. The publishing process copies the virtual application icons and shortcuts to the computer—typically on the Windows desktop or on the **Start** menu—and also copies the package definition and file type association information to the computer. Publishing also makes the application package content available to the end user’s computer.
-The virtual application package content can be copied onto one or more Application Virtualization servers so that it can be streamed down to the clients on demand and cached locally. File servers and Web servers can also be used as streaming servers, or the content can be copied directly to the end user’s computer—for example, if you are using an electronic software distribution system, such as Microsoft System Center Configuration Manager 2007. In a multi-server implementation, maintaining the package content and keeping it up to date on all the streaming servers requires a comprehensive package management solution. Depending on the size of your organization, you might need to have many virtual applications available to end users located all over the world. Managing the packages to ensure that the appropriate applications are available to all users where and when they need access to them is therefore an important requirement.
+The virtual application package content can be copied onto one or more Application Virtualization servers so that it can be streamed down to the clients on demand and cached locally. File servers and Web servers can also be used as streaming servers, or the content can be copied directly to the end user’s computer—for example, if you are using an electronic software distribution system, such as Microsoft Endpoint Configuration Manager. In a multi-server implementation, maintaining the package content and keeping it up to date on all the streaming servers requires a comprehensive package management solution. Depending on the size of your organization, you might need to have many virtual applications available to end users located all over the world. Managing the packages to ensure that the appropriate applications are available to all users where and when they need access to them is therefore an important requirement.
## Microsoft Application Virtualization System Features
diff --git a/mdop/appv-v4/planning-and-deployment-guide-for-the-application-virtualization-system.md b/mdop/appv-v4/planning-and-deployment-guide-for-the-application-virtualization-system.md
index e1cbb3ac00..a3718091a0 100644
--- a/mdop/appv-v4/planning-and-deployment-guide-for-the-application-virtualization-system.md
+++ b/mdop/appv-v4/planning-and-deployment-guide-for-the-application-virtualization-system.md
@@ -21,7 +21,7 @@ Microsoft Application Virtualization Management provides the capability to make
The Application Virtualization Client is the Application Virtualization system component that enables the end user to interact with the applications after they have been published to the computer. The client manages the virtual environment in which the virtualized applications run on each computer. After the client has been installed on a computer, the applications must be made available to the computer through a process known as *publishing*, which enables the end user to run the virtual applications. The publishing process places the virtual application icons and shortcuts on the computer—typically on the Windows desktop or on the **Start** menu—and also places the package definition and file type association information on the computer. Publishing also makes the application package content available to the end user’s computer.
-The virtual application package content can be placed on one or more Application Virtualization servers so that it can be streamed down to the clients on demand and cached locally. File servers and Web servers can also be used as streaming servers, or the content can be placed directly on the end user’s computer—for example, if you are using an electronic software distribution system, such as Microsoft System Center Configuration Manager 2007. In a multi-server implementation, maintaining the package content and keeping it up to date on all the streaming servers requires a comprehensive package management solution. Depending on the size of your organization, you might need to have many virtual applications accessible to end users located all over the world. Managing the packages to ensure that the right applications are available to all users where and when they need access to them is therefore an essential requirement.
+The virtual application package content can be placed on one or more Application Virtualization servers so that it can be streamed down to the clients on demand and cached locally. File servers and Web servers can also be used as streaming servers, or the content can be placed directly on the end user’s computer—for example, if you are using an electronic software distribution system, such as Microsoft Endpoint Configuration Manager. In a multi-server implementation, maintaining the package content and keeping it up to date on all the streaming servers requires a comprehensive package management solution. Depending on the size of your organization, you might need to have many virtual applications accessible to end users located all over the world. Managing the packages to ensure that the right applications are available to all users where and when they need access to them is therefore an essential requirement.
The Application Virtualization Planning and Deployment Guide provides information to help you better understand and deploy the Microsoft Application Virtualization application and its components. It also provides step-by-step procedures for implementing the key deployment scenarios.
diff --git a/mdop/appv-v4/planning-for-migration-from-previous-versions.md b/mdop/appv-v4/planning-for-migration-from-previous-versions.md
index c324bac3d4..2e96c0f008 100644
--- a/mdop/appv-v4/planning-for-migration-from-previous-versions.md
+++ b/mdop/appv-v4/planning-for-migration-from-previous-versions.md
@@ -186,7 +186,7 @@ The following table lists which client versions will run packages created by usi
## Additional Migration Considerations
-One of the features of the App-V 4.5 Sequencer is the ability to create Windows Installer files (.msi) as control points for virtual application package interoperability with electronic software distribution (ESD) systems such as Microsoft System Center Configuration Manager. Previous Windows Installer files created with the .msi tool for Application Virtualization that were installed on a App-V 4.1 or 4.2 Client that is subsequently upgraded to 4.5 continue to work, although they cannot be installed on the 4.5 Client. However, they cannot be removed or upgraded unless they are upgraded in the 4.5 Sequencer. The original pre-4.5 virtual application package would need to be opened in the 4.5 Sequencer and then saved as a Windows Installer File.
+One of the features of the App-V 4.5 Sequencer is the ability to create Windows Installer files (.msi) as control points for virtual application package interoperability with electronic software distribution (ESD) systems such as Microsoft Endpoint Configuration Manager. Previous Windows Installer files created with the .msi tool for Application Virtualization that were installed on a App-V 4.1 or 4.2 Client that is subsequently upgraded to 4.5 continue to work, although they cannot be installed on the 4.5 Client. However, they cannot be removed or upgraded unless they are upgraded in the 4.5 Sequencer. The original pre-4.5 virtual application package would need to be opened in the 4.5 Sequencer and then saved as a Windows Installer File.
**Note**
If the App-V 4.2 Client has already been upgraded to 4.5, it is possible to use script as a workaround to preserve the 4.2 packages on 4.5 clients and allow them to be managed. This script must copy two files, msvcp71.dll and msvcr71.dll, to the App-V installation folder and set the following registry key values under the registry key \[HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Configuration\]:
diff --git a/mdop/appv-v4/using-electronic-software-distribution-as-a-package-management-solution.md b/mdop/appv-v4/using-electronic-software-distribution-as-a-package-management-solution.md
index af5b7a4cfc..7106bf01e0 100644
--- a/mdop/appv-v4/using-electronic-software-distribution-as-a-package-management-solution.md
+++ b/mdop/appv-v4/using-electronic-software-distribution-as-a-package-management-solution.md
@@ -19,7 +19,7 @@ ms.date: 06/16/2016
In Application Virtualization, after you have sequenced and tested a package, you need to deploy the virtual application package to the target computers. To accomplish this, you will need to determine where to put the package content and how to deliver it to the end user computers. An efficient, effective electronic software distribution–based deployment plan will help you avoid the situation where large numbers of end users computers need to retrieve the package content over slow network connections.
-If you currently have an electronic software distribution (ESD) system in daily operation, you can use it to handle all necessary management tasks in Application Virtualization. This means that you can effectively use your existing infrastructure to the best advantage, without the need to add new servers and application software or incur the additional administrative overhead that these would require. Ideally, if you have System Center Configuration Manager 2007 R2 deployed and operational, you will find that Configuration Manager has built-in capability for performing the Application Virtualization management tasks.
+If you currently have an electronic software distribution (ESD) system in daily operation, you can use it to handle all necessary management tasks in Application Virtualization. This means that you can effectively use your existing infrastructure to the best advantage, without the need to add new servers and application software or incur the additional administrative overhead that these would require. Ideally, if you have Microsoft Endpoint Configuration Manager deployed and operational, you will find that Configuration Manager has built-in capability for performing the Application Virtualization management tasks.
For in-depth information about performing an ESD-based deployment, [Electronic Software Distribution-Based Scenario](electronic-software-distribution-based-scenario.md).
diff --git a/mdop/mbam-v25/troubleshooting-mbam-installation.md b/mdop/mbam-v25/troubleshooting-mbam-installation.md
index d8e8d0fc89..f2d0494b7f 100644
--- a/mdop/mbam-v25/troubleshooting-mbam-installation.md
+++ b/mdop/mbam-v25/troubleshooting-mbam-installation.md
@@ -335,7 +335,7 @@ The MBAM agent will be unable to post any updates to the database if connectivit
User: SYSTEM
Computer: TESTLABS.CONTOSO.COM
Description:
- An error occured while applying MBAM policies.
+ An error occurred while applying MBAM policies.
Volume ID:\\?\Volume{871c5858-2467-4d0b-8c83-d68af8ce10e5}\
Error code:
0x803D0010
@@ -352,7 +352,7 @@ The MBAM agent will be unable to post any updates to the database if connectivit
User: SYSTEM
Computer: TESTLABS.CONTOSO.COM
Description:
- An error occured while applying MBAM policies.
+ An error occurred while applying MBAM policies.
Volume ID:\\?\Volume{871c5858-2467-4d0b-8c83-d68af8ce10e5}\
Error code:
0x803D0006
@@ -420,7 +420,7 @@ The MBAM services may be unable to connect to the database server because of a n
Computer: MBAM2-Admin.contoso.com
Description:
Event code: 100001
- Event message: SQL error occured
+ Event message: SQL error occurred
Event time: 7/11/2013 6:16:34 PM
Event time (UTC): 7/11/2013 12:46:34 PM
Event ID: 6615fb8eb9d54e778b933d5bb7ca91ed
@@ -552,7 +552,7 @@ Review the activity in the service trace log for any error or warning entries. B
XXXXXXXXXXX
- AddUpdateVolume: While executing sql transaction for add volume to store exception occured Key Recovery Data Store processing error: Violation of UNIQUE KEY constraint 'UniqueRecoveryKeyId'. Cannot insert duplicate key in object 'RecoveryAndHardwareCore.Keys'. The duplicate key value is (8637036e-b379-4798-bd9e-5a0b36296de3).
+ AddUpdateVolume: While executing sql transaction for add volume to store exception occurred Key Recovery Data Store processing error: Violation of UNIQUE KEY constraint 'UniqueRecoveryKeyId'. Cannot insert duplicate key in object 'RecoveryAndHardwareCore.Keys'. The duplicate key value is (8637036e-b379-4798-bd9e-5a0b36296de3).
diff --git a/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md b/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md
index 665b8f08a0..d501b3826f 100644
--- a/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md
+++ b/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md
@@ -81,7 +81,7 @@ When you install updates to Windows XP, make sure that you remain on the version
Although it is optional, we recommend that you install the following update for [hotfix KB972435](https://go.microsoft.com/fwlink/?LinkId=201077) (https://go.microsoft.com/fwlink/?LinkId=201077). This update increases the performance of shared folders in a Terminal Services session:
**Note**
-The update is publically available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
+The update is publicly available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
diff --git a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md
index 06b7cfbe45..e2ebe0a01f 100644
--- a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md
+++ b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md
@@ -29,7 +29,7 @@ If you are using System Center Configuration Manager 2007 SP2 and your MED-V wor
The [hotfix to improve the functionality for VMs that are managed by MED-V](https://go.microsoft.com/fwlink/?LinkId=201088) (https://go.microsoft.com/fwlink/?LinkId=201088) adds new functionality to virtual machines that are managed by MED-V and that are configured to operate in **NAT** mode. The new functionality lets virtual machines access the closest distribution points. Therefore, the administrator can manage the virtual machine and the host computer in the same manner. This hotfix must be installed first on the site server and then on the client.
-The update is publically available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
+The update is publicly available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
diff --git a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
index 0ec14a0a96..5dfe7451d7 100644
--- a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
+++ b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
@@ -29,7 +29,7 @@ If you are using System Center Configuration Manager 2007 SP2 and your MED-V wor
The [hotfix to improve the functionality for VMs that are managed by MED-V](https://go.microsoft.com/fwlink/?LinkId=201088) (https://go.microsoft.com/fwlink/?LinkId=201088) adds new functionality to virtual machines that are managed by MED-V and that are configured to operate in **NAT** mode. The new functionality lets virtual machines access the closest distribution points. Therefore, the administrator can manage the virtual machine and the host computer in the same manner. This hotfix must be installed first on the site server and then on the client.
-The update is publically available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
+The update is publicly available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md
index fe8f3b7411..bdfb8ea979 100644
--- a/store-for-business/TOC.md
+++ b/store-for-business/TOC.md
@@ -24,7 +24,7 @@
### [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md)
### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md)
### [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md)
-### [Working with solution providers in Microsoft Store for Business](work-with-partner-microsoft-store-business.md)
+### [Working with solution providers](work-with-partner-microsoft-store-business.md)
## [Billing and payments](billing-payments-overview.md)
### [Understand your invoice](billing-understand-your-invoice-msfb.md)
### [Payment methods](payment-methods.md)
diff --git a/store-for-business/work-with-partner-microsoft-store-business.md b/store-for-business/work-with-partner-microsoft-store-business.md
deleted file mode 100644
index e2829a08cb..0000000000
--- a/store-for-business/work-with-partner-microsoft-store-business.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: Work with solution providers in Microsoft Store for Business and Education (Windows 10)
-description: You can work with Microsoft-certified solution providers to purchase and manage products and services for your organization or school.
-keywords: partner, solution provider
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
-ms.topic: conceptual
-ms.date: 10/12/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Working with solution providers in Microsoft Store for Business
-
-You can work with Microsoft-certified solution providers to purchase and manage products and services for your organization or school. There's a few steps involved in getting the things set up.
-
-The process goes like this:
-- Admins find and contact a solution provider using **Find a solution provider** in Microsoft Store for Business.
-- Solution providers send a request from Partner center to customers to become their solution provider.
-- Customers accept the invitation in Microsoft Store for Business and start working with the solution provider.
-- Customers can manage settings for the relationship with Partner in Microsoft Store for Business.
-
-## What can a solution provider do for my organization or school?
-
-There are several ways that a solution provider can work with you. Solution providers will choose one of these when they send their request to work as a partner with you.
-
-| Solution provider function | Description |
-| ------ | ------------------- |
-| Reseller | Solution providers sell Microsoft products to your organization or school. |
-| Delegated administrator | Solution provider manages products and services for your organization or school. In Azure Active Directory (AD), the Partner will be a Global Administrator for tenant. This allows them to manage services like creating user accounts, assigning and managing licenses, and password resets. |
-| Reseller & delegated administrator | Solution providers that sell and manage Microsoft products and services to your organization or school. |
-| Partner | You can give your solution provider a user account in your tenant, and they work on your behalf with other Microsoft services. |
-| Microsoft Products & Services Agreement (MPSA) partner | If you've worked with multiple solution providers through the MPSA program, you can allow partners to see purchases made by each other. |
-| OEM PC partner | Solution providers can upload device IDs for PCs that you're [managing with Autopilot](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). |
-| Line-of-business (LOB) partner | Solution providers can develop, submit, and manage LOB apps specific for your organization or school. |
-
-## Find a solution provider
-
-You can find partner in Microsoft Store for Business and Education.
-
-1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com/).
-2. Select **Find a solution provider**.
-
- 
-
-3. Refine the list, or search for a solution provider.
-
- 
-
-4. When you find a solution provider you're interested in working with, click **Contact**.
-5. Complete and send the form.
-
-The solution provider will get in touch with you. You'll have a chance to learn more about them. If you decide to work with the solution provider, they will send you an email invitation from Partner Center.
-
-## Work with a solution provider
-
-Once you've found a solution provider and decided to work with them, they'll send you an invitation to work together from Partner Center. In Microsoft Store for Business or Education, you'll need to accept the invitation. After that, you can manage their permissions.
-
-**To accept a solution provider invitation**
-1. **Follow email link** - You'll receive an email with a link to accept the solution provider invitation from your solution provider. The link will take you to Microsoft Store for Business or Education.
-2. **Accept invitation** - On **Accept Partner Invitation**, select **Authorize** to accept the invitation, accept terms of the Microsoft Cloud Agreement, and start working with the solution provider.
-
-
-
-## Delegate admin privileges
-
-Depending on the request made by the solution provider, part of accepting the invitation will include agreeing to give delegated admin privileges to the solution provider. This will happen when the solution provider request includes acting as a delegated administrator. For more information, see [Delegated admin privileges in Azure AD](https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges#delegated-admin-privileges-in-azure-ad).
-
-If you don't want to delegate admin privileges to the solution provider, you'll need to cancel the invitation instead of accepting it.
-
-If you delegate admin privileges to a solution provider, you can remove that later.
-
-**To remove delegate admin privileges**
-1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com/).
-2. Select **Partner**
-3. Choose the Partner you want to manage.
-4. Select **Remove Delegated Permissions**.
-
-The solution provider will still be able to work with you, for example, as a Reseller.
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index 5a4fd15cf0..121f28dad6 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -1,11 +1,13 @@
---
title: ApplicationControl CSP
description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from a MDM server.
+keywords: whitelisting, security, malware
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: ManikaDhiman
+ms.reviewer: jsuther1974
ms.date: 05/21/2019
---
@@ -61,7 +63,8 @@ This node specifies whether a policy is actually loaded by the enforcement engin
Scope is dynamic. Supported operation is Get.
-Value type is bool. Supported values are as follows:
+Value type is bool. Supported values are as follows:
+
- True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system.
- False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default.
@@ -70,7 +73,8 @@ This node specifies whether a policy is deployed on the system and is present on
Scope is dynamic. Supported operation is Get.
-Value type is bool. Supported values are as follows:
+Value type is bool. Supported values are as follows:
+
- True — Indicates that the policy is deployed on the system and is present on the physical machine.
- False — Indicates that the policy is not deployed on the system and is not present on the physical machine. This is the default.
@@ -79,7 +83,8 @@ This node specifies whether the policy is authorized to be loaded by the enforce
Scope is dynamic. Supported operation is Get.
-Value type is bool. Supported values are as follows:
+Value type is bool. Supported values are as follows:
+
- True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system.
- False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default.
@@ -112,24 +117,43 @@ Scope is dynamic. Supported operation is Get.
Value type is char.
-## Usage guidance
+## Microsoft Endpoint Manager (MEM) Intune Usage Guidance
-To use ApplicationControl CSP, you must:
-- Know a generated policy’s GUID, which can be found in the policy xml as ``.
-- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)
-If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy via uploading the binary file.
+## Non-Intune Usage Guidance
+
+In order to leverage the ApplicationControl CSP without using Intune, you must:
+
+1. Know a generated policy’s GUID, which can be found in the policy xml as or for pre-1903 systems.
+2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool.
+
+Below is a sample certutil invocation:
+
+```cmd
+certutil -encode WinSiPolicy.p7b WinSiPolicy.cer
+```
+
+An alternative to using certutil would be to use the following PowerShell invocation:
+
+```powershell
+[Convert]::toBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path ))
+```
+
+### Deploy Policies
-### Deploy policies
To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below.
To deploy base policy and supplemental policies:
-- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
-- Repeat for each base or supplemental policy (with its own GUID and data).
+
+1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
+2. Repeat for each base or supplemental policy (with its own GUID and data).
The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD).
-**Example 1: Add first base policy**
+#### Example 1: Add first base policy
+
```xml
1
@@ -144,7 +168,9 @@ The following example shows the deployment of two base policies and a supplement
```
-**Example 2: Add second base policy**
+
+#### Example 2: Add second base policy
+
```xml
1
@@ -159,7 +185,9 @@ The following example shows the deployment of two base policies and a supplement
```
-**Example 3: Add supplemental policy**
+
+#### Example 3: Add supplemental policy
+
```xml
1
@@ -174,6 +202,7 @@ The following example shows the deployment of two base policies and a supplement
```
+
### Get policies
Perform a GET using a deployed policy’s GUID to interrogate/inspect the policy itself or information about it.
@@ -190,7 +219,8 @@ The following table displays the result of Get operation on different nodes:
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful|
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy|
-The following is an example of Get command:
+The following is an example of Get command:
+
```xml
1
@@ -203,17 +233,28 @@ The following is an example of Get command:
```
### Delete policies
+
+#### Rebootless Deletion
+
+Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
+
+#### Unsigned Policies
+
To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy**.
-> [!Note]
-> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy.
-
+#### Signed Policies
+
+> [!NOTE]
+> A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy.
+
To delete a signed policy:
+
1. Replace it with a signed update allowing unsigned policy.
-2. Deploy another update with unsigned policy.
+2. Deploy another update with unsigned Allow All policy.
3. Perform delete.
-
+
The following is an example of Delete command:
+
```xml
1
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index c5b559cf50..2818c2e55f 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -35,7 +35,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
> [!NOTE]
> - Bulk-join is not supported in Azure Active Directory Join.
> - Bulk enrollment does not work in Intune standalone environment.
-> - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.
+> - Bulk enrollment works in Microsoft Endpoint Configuration Manager where the ppkg is generated from the Configuration Manager console.
> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
## What you need
diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md
index c4591652a5..8bedac1205 100644
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@@ -1806,7 +1806,7 @@ The content below are the latest versions of the DDF files:
4
- This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4.
+ This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4.
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index c93fe4da96..15b21d0197 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -957,7 +957,7 @@ The XML below is for Windows 10, version 1803.
- Number of days after last sucessful sync to unenroll
+ Number of days after last successful sync to unenroll
diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
index e05ab31e6f..32ac15d67d 100644
--- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
+++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
@@ -15,7 +15,7 @@ ms.date: 06/26/2017
# Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
-Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. Because of network restrictions or other enterprise policies, devices must download their updates from an internal location. This document describes how to enable offline updates using System Center Configuration Manager.
+Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. Because of network restrictions or other enterprise policies, devices must download their updates from an internal location. This document describes how to enable offline updates using Microsoft Endpoint Configuration Manager.
Here is a table of update path to Windows 10 Mobile.
@@ -79,7 +79,7 @@ Down the road, after the upgrade to Windows 10 is complete, if you decide to pus
**Requirements:**
- The test device must be same as the other production devices that are receiving the updates.
-- Your test device must be enrolled with System Center Configuration Manager.
+- Your test device must be enrolled with Microsoft Endpoint Configuration Manager.
- Your device can connect to the Internet.
- Your device must have an SD card with at least 0.5 GB of free space.
- Ensure that the settings app and PhoneUpdate applet are available via Assigned Access.
@@ -93,7 +93,7 @@ The following diagram is a high-level overview of the process.
Define the baseline update set that will be applied to other devices. Use a device that is running the most recent image as the test device.
-Trigger the device to check for updates either manually or using System Center Configuration Manager.
+Trigger the device to check for updates either manually or using Microsoft Endpoint Configuration Manager.
**Manually**
@@ -104,19 +104,19 @@ Trigger the device to check for updates either manually or using System Center C
> **Note** There is a bug in all OS versions up to GDR2 where the CSP will not set the assigned value. There is no way to change or set this until GDR2 is deployed onto the device.
-**Using System Center Configuration Manager**
+**Using Microsoft Endpoint Configuration Manager**
1. Remotely trigger a scan of the test device by deploying a Trigger Scan Configuration Baseline.
- 
+ 
2. Set the value of this OMA-URI by browsing to the settings of this Configuration Item and selecting the newly created Trigger Scan settings from the previous step.
- 
+ 
3. Ensure that the value that is specified for this URI is greater than the value on the device(s) and that the Remediate noncompliant rules when supported option is checked. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
- 
+ 
4. Create a Configuration Baseline for TriggerScan and Deploy. It is recommended that this Configuration Baseline be deployed after the Controlled Updates Baseline has been applied to the device (the corresponding files are deployed on the device through a device sync session).
5. Follow the prompts for downloading the updates, but do not install the updates on the device.
@@ -132,16 +132,16 @@ There are two ways to retrieve this file from the device; one pre-GDR1 and one p
1. Create a Configuration Item using ConfigMgr to look at the registry entry ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/ApprovedUpdatesXml.
- > **Note** In System Center Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml. However, the process still completes even if the file is large.
+ > **Note** In Microsoft Endpoint Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml. However, the process still completes even if the file is large.
If the XML file is greater than 32K you can also use ./Vendor/MSFT/FileSystem/<*filename*>.
2. Set a baseline for this Configuration Item with a “dummy” value (such as zzz), and ensure that you do not remediate it.
The dummy value is not be set; it is only used for comparison.
-3. After the report XML is sent to the device, System Center Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data.
+3. After the report XML is sent to the device, Microsoft Endpoint Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data.
4. Parse this log for the report XML content.
-For a step-by-step walkthrough, see [How to retrieve a device update report using System Center Configuration Manager logs](#how-to-retrieve-a-device-update-report-using-system-center-configuration-manager-logs).
+For a step-by-step walkthrough, see [How to retrieve a device update report using Microsoft Endpoint Configuration Manager logs](#how-to-retrieve-a-device-update-report-using-microsoft-endpoint-configuration-manager-logs).
**Post-GDR1: Retrieve the report xml file using an SD card**
@@ -228,7 +228,7 @@ This process has three parts:
1. Create a configuration item and specify that file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
2. Check the box **Remediate noncompliant settings**.
- 
+ 
3. Click **OK**.
@@ -238,11 +238,11 @@ This process has three parts:
1. Create a configuration baseline item and give it a name (such as ControlledUpdates).
2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then click **OK**.
- 
+ 
3. Deploy the configuration baseline to the appropriate device or device collection.
- 
+ 
4. Click **OK**.
@@ -252,7 +252,7 @@ Now that the other "production" or "in-store" devices have the necessary informa
### Use this process for unmanaged devices
-If the update policy of the device is not managed or restricted by System Center Configuration Manager, an update process can be initiated on the device in one of the following ways:
+If the update policy of the device is not managed or restricted by Microsoft Endpoint Configuration Manager, an update process can be initiated on the device in one of the following ways:
- Initiated by a periodic scan that the device automatically performs.
- Initiated manually through **Settings** -> **Phone Update** -> **Check for Updates**.
@@ -261,14 +261,14 @@ If the update policy of the device is not managed or restricted by System Center
If the update policy of the device is managed or restricted by MDM, an update process can be initiated on the device in one of the following ways:
-- Trigger the device to scan for updates through System Center Configuration Manager.
+- Trigger the device to scan for updates through Microsoft Endpoint Configuration Manager.
Ensure that the trigger scan has successfully executed, and then remove the trigger scan configuration baseline.
> **Note** Ensure that the PhoneUpdateRestriction Policy is set to a value of 0, to ensure that the device will not perform an automatic scan.
-- Trigger the device to scan as part of a Maintenance Window defined by the IT Admin in System Center Configuration Manager.
+- Trigger the device to scan as part of a Maintenance Window defined by the IT Admin in Microsoft Endpoint Configuration Manager.
After the installation of updates is completed, the IT Admin can use the DUReport generated in the production devices to determine if the device successfully installed the list of updates. If the device did not, error codes are provided in the DUReport.xml. To retrieve the device update report from a device, perform the same steps defined in [Step 2](#step2).
@@ -456,7 +456,7 @@ DownloadFiles $inputFile $downloadCache $localCacheURL
```
-## How to retrieve a device update report using System Center Configuration Manager logs
+## How to retrieve a device update report using Microsoft Endpoint Configuration Manager logs
Use this procedure for pre-GDR1 devices.
@@ -465,17 +465,17 @@ Use this procedure for pre-GDR1 devices.
1. Trigger a device scan. Go to **Settings** -> **Phone Update** -> **Check for Updates**.
Since the DUReport settings have not been remedied, you should see a non-compliance.
-2. In System Center Configuration Manager under **Assets and Compliance** > **Compliance Settings**, right-click on **Configuration Items**.
+2. In Microsoft Endpoint Configuration Manager under **Assets and Compliance** > **Compliance Settings**, right-click on **Configuration Items**.
3. Select **Create Configuration Item**.
- 
+ 
4. Enter a filename (such as GetDUReport) and then choose **Mobile Device**.
5. In the **Mobile Device Settings** page, check the box **Configure Additional Settings that are not in the default settings group**, and the click **Next**.
- 
+ 
6. In the **Additional Settings** page, click **Add**.
- 
+ 
7. In the **Browse Settings** page, click **Create Setting**.
diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
index 1fe417dd0f..ab13935f66 100644
--- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
@@ -89,7 +89,7 @@ The following diagram shows the EnterpriseAppVManagement configuration service p
- SYNC\_ERR\_PUBLISH\_GROUP_PACKAGES (3) - Publish group packages failed during publish.
- SYNC\_ERR\_UNPUBLISH_PACKAGES (4) - Unpublish packages failed during publish.
- SYNC\_ERR\_NEW_POLICY_WRITE (5) - New policy write failed during publish.
-- SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occured during publish.
+- SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occurred during publish.
Value type is string. Supported operation is Get.
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index a24f114581..1c440edf96 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -492,6 +492,18 @@ Supported operation is Execute, Add, Delete, and Get.
**AppInstallation/*PackageFamilyName*/HostedInstall**
Required. Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source).
+The following list shows the supported deployment options:
+- ForceApplicationShutdown
+- DevelopmentMode
+- InstallAllResources
+- ForceTargetApplicationShutdown
+- ForceUpdateToAnyVersion
+- DeferRegistration="1". If the app is in use at the time of installation. This stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1.
+- StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803.
+- LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607.
+- ValidateDependencies="1". This is used at provisioning/staging time. If it is set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies are not present. Available in the latest insider flight of 20H1.
+- ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809.
+
Supported operation is Execute, Add, Delete, and Get.
**AppInstallation/*PackageFamilyName*/LastError**
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index 08bae9914c..87c13cbc3e 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -279,7 +279,7 @@ There are a few instances where your device may not be able to connect to work,
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
| Your device is already connected to your organization’s cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. |
| We could not find your identity in your organization’s cloud. | The username you entered was not found on your Azure AD tenant. |
-| Your device is already being managed by an organization. | Your device is either already managed by MDM or System Center Configuration Manager. |
+| Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Endpoint Configuration Manager. |
| You don’t have the right privileges to perform this operation. Please talk to your admin. | You cannot enroll your device into MDM as a standard user. You must be on an administrator account. |
| We couldn’t auto-discover a management endpoint matching the username entered. Please check your username and try again. If you know the URL to your management endpoint, please enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. |
@@ -359,7 +359,7 @@ The **Info** button can be found on work or school connections involving MDM. Th
Clicking the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session which will force your device to communicate to the MDM server and fetch any updates to policies if needed.
-Starting in Windows 10, version 1709, clicking the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screehshot.
+Starting in Windows 10, version 1709, clicking the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot.
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index a5298bf190..8a9c1a34dc 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -1657,10 +1657,10 @@ If disabled or not configured, extensions defined as part of this policy get ign
Default setting: Disabled or not configured
Related policies: Allow Developer Tools
Related Documents:
-- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
+- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business)
- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy)
-- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows)
@@ -11034,10 +11034,10 @@ If disabled or not configured, extensions defined as part of this policy get ign
Default setting: Disabled or not configured
Related policies: Allow Developer Tools
Related Documents:
-- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
+- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business)
- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy)
-- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows)
@@ -23032,10 +23032,10 @@ If disabled or not configured, extensions defined as part of this policy get ign
Default setting: Disabled or not configured
Related policies: Allow Developer Tools
Related Documents:
-- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
+- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business)
- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy)
-- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows)
@@ -51686,10 +51686,10 @@ If disabled or not configured, extensions defined as part of this policy get ign
Default setting: Disabled or not configured
Related policies: Allow Developer Tools
Related Documents:
-- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
+- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business)
- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy)
-- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager (https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows)
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index 47a439de72..afb9c4241f 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -37,7 +37,7 @@ Windows 10 supports end-to-end device lifecycle management to give companies con
## Deploy
Windows 10 Mobile has a built-in device management client to deploy, configure, maintain, and support smartphones. Common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT), this client provides a single interface through which Mobile Device Management (MDM) solutions can manage any device that runs Windows 10. Because the MDM client integrates with identity management, the effort required to manage devices throughout the lifecycle is greatly reduced.
-Windows 10 includes comprehensive MDM capabilities that can be managed by Microsoft management solutions, such as Microsoft Intune or System Center Configuration Manager, as well as many third-party MDM solutions. There is no need to install an additional, custom MDM app to enroll devices and bring them under MDM control. All MDM system vendors have equal access to Windows 10 Mobile device management application programming interfaces (APIs), giving IT organizations the freedom to select whichever system best fits their management requirements, whether Microsoft Intune or a third-party MDM product. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=734050).
+Windows 10 includes comprehensive MDM capabilities that can be managed by Microsoft management solutions, such as Microsoft Intune or Microsoft Endpoint Configuration Manager, as well as many third-party MDM solutions. There is no need to install an additional, custom MDM app to enroll devices and bring them under MDM control. All MDM system vendors have equal access to Windows 10 Mobile device management application programming interfaces (APIs), giving IT organizations the freedom to select whichever system best fits their management requirements, whether Microsoft Intune or a third-party MDM product. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=734050).
### Deployment scenarios
@@ -187,7 +187,6 @@ Azure AD is a cloud-based directory service that provides identity and access ma
**Mobile Device Management**
Microsoft [Intune](https://www.microsoft.com/server-cloud/products/microsoft-intune/overview.aspx), part of the Enterprise Mobility + Security, is a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management so employees use the same credentials to enroll devices in Intune that they use to sign into Office 365. Intune supports devices that run other operating systems, such as iOS and Android, to provide a complete MDM solution.
-You can also integrate Intune with Configuration Manager to gain a single console for managing all devices in the cloud and on premises, mobile or PC. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](https://technet.microsoft.com/library/jj884158.aspx). For guidance on choosing between a stand-alone Intune installation and Intune integrated with System Center Configuration Manager, see Choose between Intune by itself or integrating Intune with System Center Configuration Manager.
Multiple MDM systems support Windows 10 and most support personal and corporate device deployment scenarios. MDM providers that support Windows 10 Mobile currently include: AirWatch, Citrix, MobileIron, SOTI, Blackberry and others. Most industry-leading MDM vendors already support integration with Azure AD. You can find the MDM vendors that support Azure AD in [Azure Marketplace](https://azure.microsoft.com/marketplace/). If your organization doesn’t use Azure AD, the user must use an MSA during OOBE before enrolling the device in your MDM using a corporate account.
>**Note:** Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365.
@@ -280,7 +279,7 @@ Employees are usually allowed to change certain personal device settings that yo
*Applies to: Corporate devices*
-Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi Fi. You can use hardware restrictions to control the availability of these features.
+Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi-Fi. You can use hardware restrictions to control the availability of these features.
The following lists the MDM settings that Windows 10 Mobile supports to configure hardware restrictions.
@@ -303,12 +302,12 @@ The following lists the MDM settings that Windows 10 Mobile supports to configur
*Applies to: Personal and corporate devices*
-Certificates help improve security by providing account authentication, Wi Fi authentication, VPN encryption, and SSL encryption of web content. Although users can manage certificates on devices manually, it’s a best practice to use your MDM system to manage those certificates throughout their entire lifecycle – from enrollment through renewal and revocation.
+Certificates help improve security by providing account authentication, Wi-Fi authentication, VPN encryption, and SSL encryption of web content. Although users can manage certificates on devices manually, it’s a best practice to use your MDM system to manage those certificates throughout their entire lifecycle – from enrollment through renewal and revocation.
To install certificates manually, you can post them on Microsoft Edge website or send them directly via email, which is ideal for testing purposes.
Using SCEP and MDM systems, certificate management is completely transparent and requires no user intervention, helping improve user productivity, and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device (as long as the MDM system supports the Simple Certificate Enrollment Protocol (SCEP) or Personal Information Exchange (PFX)). The MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.
In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. The table below lists the Windows 10 Mobile PFX certificate deployment settings.
Get more detailed information about MDM certificate management in the [Client Certificate Install CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile).
-Use the Allow Manual Root Certificate Installation setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidently.
+Use the Allow Manual Root Certificate Installation setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidentally.
> **Note:** To diagnose certificate-related issues on Windows 10 Mobile devices, use the free Certificates app in Microsoft Store. This Windows 10 Mobile app can help you:
> - View a summary of all personal certificates
@@ -322,11 +321,11 @@ Use the Allow Manual Root Certificate Installation setting to prevent users from
*Applies to: Corporate and personal devices*
-Wi-Fi is used on mobile devices as much as, or more than, cellular data connections. Most corporate Wi Fi networks require certificates and other complex information to restrict and secure user access. This advanced Wi Fi information is difficult for typical users to configure, but MDM systems can fully configure these Wi-Fi profiles without user intervention.
+Wi-Fi is used on mobile devices as much as, or more than, cellular data connections. Most corporate Wi-Fi networks require certificates and other complex information to restrict and secure user access. This advanced Wi-Fi information is difficult for typical users to configure, but MDM systems can fully configure these Wi-Fi profiles without user intervention.
You can create multiple Wi-Fi profiles in your MDM system. The below table lists the Windows 10 Mobile Wi Fi connection profile settings that can be configured by administrators.
-- **SSID** The case-sensitive name of the Wi Fi network Service Set Identifier
-- **Security type** The type of security the Wi Fi network uses; can be one of the following authentication types:
+- **SSID** The case-sensitive name of the Wi-Fi network Service Set Identifier
+- **Security type** The type of security the Wi-Fi network uses; can be one of the following authentication types:
- Open 802.11
- Shared 802.11
- WPA-Enterprise 802.11
@@ -341,13 +340,13 @@ You can create multiple Wi-Fi profiles in your MDM system. The below table lists
- **Extensible Authentication Protocol Transport Layer Security (EAP-TLS)** WPA-Enterprise 802.11 and WPA2-Enterprise 802.11 security types can use EAP-TLS with certificates for authentication
- **Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2)** WPA-Enterprise 802.11 and WPA2-Enterprise 802.11 security types can use PEAP-MSCHAPv2 with a user name and password for authentication
- **Shared key** WPA-Personal 802.11 and WPA2-Personal 802.11 security types can use a shared key for authentication.
-- **Proxy** The configuration of any network proxy that the Wi Fi connection requires (to specify the proxy server, use its fully qualified domain name [FQDN], Internet Protocol version 4 [IPv4] address, IP version 6 [IPv6] address, or IPvFuture address)
-- **Disable Internet connectivity checks** Whether the Wi Fi connection should check for Internet connectivity
+- **Proxy** The configuration of any network proxy that the Wi-Fi connection requires (to specify the proxy server, use its fully qualified domain name [FQDN], Internet Protocol version 4 [IPv4] address, IP version 6 [IPv6] address, or IPvFuture address)
+- **Disable Internet connectivity checks** Whether the Wi-Fi connection should check for Internet connectivity
- **Proxy auto-configuration URL** A URL that specifies the proxy auto-configuration file
- **Enable Web Proxy Auto-Discovery Protocol (WPAD)** Specifies whether WPAD is enabled
In addition, you can set a few device wide Wi-Fi settings.
-- **Allow Auto Connect to Wi Fi Sense Hotspots** Whether the device will automatically detect and connect to Wi-Fi networks
+- **Allow Auto Connect to Wi-Fi Sense Hotspots** Whether the device will automatically detect and connect to Wi-Fi networks
- **Allow Manual Wi-Fi Configuration** Whether the user can manually configure Wi-Fi settings
- **Allow Wi-Fi** Whether the Wi-Fi hardware is enabled
- **Allow Internet Sharing** Allow or disallow Internet sharing
@@ -958,7 +957,7 @@ DHA-enabled device management solutions help IT managers create a unified securi
For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](/windows/device-security/windows-10-mobile-security-guide).
-Thisis a lists of attributes that are supported by DHA and can trigger the corrective actions mentioned above.
+This is a list of attributes that are supported by DHA and can trigger the corrective actions mentioned above.
- **Attestation Identity Key (AIK) present** Indicates that an AIK is present (i.e., the device can be trusted more than a device without an AIK).
- **Data Execution Prevention (DEP) enabled** Whether a DEP policy is enabled for the device, indicating that the device can be trusted more than a device without a DEP policy.
- **BitLocker status** BitLocker helps protect the storage on the device. A device with BitLocker can be trusted more than a device without BitLocker.
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index c0ad05a8bd..7428624219 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -141,7 +141,7 @@
### [Administering UE-V](ue-v/uev-administering-uev.md)
#### [Manage Configurations for UE-V](ue-v/uev-manage-configurations.md)
##### [Configuring UE-V with Group Policy Objects](ue-v/uev-configuring-uev-with-group-policy-objects.md)
-##### [Configuring UE-V with System Center Configuration Manager](ue-v/uev-configuring-uev-with-system-center-configuration-manager.md)
+##### [Configuring UE-V with Microsoft Endpoint Configuration Manager](ue-v/uev-configuring-uev-with-system-center-configuration-manager.md)
##### [Administering UE-V with Windows PowerShell and WMI](ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md)
###### [Managing the UE-V Service and Packages with Windows PowerShell and WMI](ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md)
###### [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md)
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index fb9e1c7935..cad5f5470d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -45,7 +45,7 @@ Cortana requires the following hardware and software to successfully run the inc
|Client operating system |
**Desktop:** Windows 10, version 1703
**Mobile:** Windows 10 Mobile, version 1703 (with limited functionality)
|
|Azure Active Directory (Azure AD) |While all employees signing into Cortana need an Azure AD account; an Azure AD premium tenant isn’t required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana, but won't turn Cortana off.
For example:
If you turn **Location** off, Cortana won't be able to provide location-based reminders, such as reminding you to visit the mail room when you get to work.
If you turn **Speech** off, your employees won't be able to use “Hello Cortana” for hands free usage or voice commands to easily ask for help. |
-|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip)
If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft System Center Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.|
+|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip)
If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.|
## Signing in using Azure AD
Your organization must have an Azure AD tenant and your employees’ devices must all be Azure AD-joined for Cortana to work properly. For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [What is an Azure AD directory?](https://msdn.microsoft.com/library/azure/jj573650.aspx)
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index 825037d62d..9ae00ff891 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -36,7 +36,7 @@ To enable voice commands in Cortana
- **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana).
-2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
+2. **Install the VCD file on employees' devices**. You can use Microsoft Endpoint Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
## Test scenario: Use voice commands in a Microsoft Store app
While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization.
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index be16f1f393..641af623c3 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -42,7 +42,7 @@ CSPs are behind many of the management tasks and policies for Windows 10, both i
-CSPs receive configuration policies in the XML-based SyncML format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as System Center Configuration Manager, can also target CSPs, by using a client-side WMI-to-CSP bridge.
+CSPs receive configuration policies in the XML-based SyncML format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side WMI-to-CSP bridge.
### Synchronization Markup Language (SyncML)
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 3f608dd8ee..035bdf4010 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -71,7 +71,7 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg)
| Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) |
-5. On the **Import a provisioning package (optional)** page, you can click **Finish** to create your project, or browse to and select an existing provisioning packge to import to your project, and then click **Finish**.
+5. On the **Import a provisioning package (optional)** page, you can click **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then click **Finish**.
>[!TIP]
>**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly.
@@ -148,7 +148,7 @@ For details on each specific setting, see [Windows Provisioning settings referen
- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-- [How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://docs.microsoft.com/sccm/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
+- [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
## Related topics
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index b67d2c9fa7..af989096a8 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -112,7 +112,7 @@ The following table provides some examples of settings that you can configure us
| Start menu customization | Start menu layout, application pinning |
| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on |
-\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices.
+\* Using a provisioning package for auto-enrollment to Microsoft Endpoint Configuration Manager is not supported. Use the Configuration Manager console to enroll devices.
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
@@ -136,7 +136,7 @@ Windows ICD in Windows 10, version 1607, supported the following scenarios for I
* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include:
- * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment)
+ * Microsoft Intune (certificate-based enrollment)
* AirWatch (password-string based enrollment)
* Mobile Iron (password-string based enrollment)
* Other MDMs (cert-based enrollment)
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
index 0d078ba82b..f7f8d70fcd 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -1,6 +1,6 @@
---
-title: Configuring UE-V with System Center Configuration Manager
-description: Configuring UE-V with System Center Configuration Manager
+title: Configuring UE-V with Microsoft Endpoint Configuration Manager
+description: Configuring UE-V with Microsoft Endpoint Configuration Manager
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
@@ -14,12 +14,12 @@ ms.topic: article
---
-# Configuring UE-V with System Center Configuration Manager
+# Configuring UE-V with Microsoft Endpoint Configuration Manager
**Applies to**
- Windows 10, version 1607
-After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of System Center Configuration Manager (2012 SP1 or later) to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
+After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of Microsoft Endpoint Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
## UE-V Configuration Pack supported features
diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md
index 926765cff2..b8b4cb2155 100644
--- a/windows/configuration/ue-v/uev-deploy-required-features.md
+++ b/windows/configuration/ue-v/uev-deploy-required-features.md
@@ -117,7 +117,7 @@ You can configure UE-V before, during, or after you enable the UE-V service on u
Windows Server 2012 and Windows Server 2012 R2
-- [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of System Center Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
+- [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of Microsoft Endpoint Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
- [**Windows PowerShell and WMI**](uev-administering-uev-with-windows-powershell-and-wmi.md) You can use scripted commands for Windows PowerShell and Windows Management Instrumentation (WMI) to modify the configuration of the UE-V service.
diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
index edb70df39e..918e018c48 100644
--- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
+++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
@@ -222,7 +222,7 @@ After you create a settings location template with the UE-V template generator,
You can deploy settings location templates using of these methods:
-- An electronic software distribution (ESD) system such as System Center Configuration Manager
+- An electronic software distribution (ESD) system such as Microsoft Endpoint Configuration Manager
- Group Policy preferences
diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md
index dddea0457c..71d5841793 100644
--- a/windows/configuration/ue-v/uev-manage-configurations.md
+++ b/windows/configuration/ue-v/uev-manage-configurations.md
@@ -27,11 +27,11 @@ You can use Group Policy Objects to modify the settings that define how UE-V syn
[Configuring UE-V with Group Policy Objects](uev-configuring-uev-with-group-policy-objects.md)
-## Configuring UE-V with System Center Configuration Manager
+## Configuring UE-V with Microsoft Endpoint Configuration Manager
-You can use System Center Configuration Manager to manage the UE-V service by using the UE-V Configuration Pack.
+You can use Microsoft Endpoint Configuration Manager to manage the UE-V service by using the UE-V Configuration Pack.
-[Configuring UE-V with System Center Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md)
+[Configuring UE-V with Microsoft Endpoint Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md)
## Administering UE-V with PowerShell and WMI
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index 7e2ed82e70..c56e5b4661 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -267,9 +267,9 @@ For more information, see the [Windows Application List](uev-managing-settings-l
If you are deploying UE-V to synchronize settings for custom applications, you’ll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices.
-Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including System Center Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell.
+Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including Microsoft Endpoint Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell.
-For more information about custom settings location templates, see [Deploy UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). For more information about using UE-V with Configuration Manager, see [Configuring UE-V with System Center Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md).
+For more information about custom settings location templates, see [Deploy UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). For more information about using UE-V with Configuration Manager, see [Configuring UE-V with Microsoft Endpoint Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md).
### Prevent unintentional user settings configuration
@@ -362,7 +362,7 @@ The UE-V service synchronizes user settings for devices that are not always conn
Enable this configuration using one of these methods:
-- After you enable the UE-V service, use the Settings Management feature in System Center Configuration Manager or the UE-V ADMX templates (installed with Windows 10, version 1607) to push the SyncMethod = None configuration.
+- After you enable the UE-V service, use the Settings Management feature in Microsoft Endpoint Configuration Manager or the UE-V ADMX templates (installed with Windows 10, version 1607) to push the SyncMethod = None configuration.
- Use Windows PowerShell or Windows Management Instrumentation (WMI) to set the SyncMethod = None configuration.
diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md
index 186d34e8ec..ea77470ed5 100644
--- a/windows/configuration/wcd/wcd-calling.md
+++ b/windows/configuration/wcd/wcd-calling.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: dansimp
-ms.localizationpriority: medium
+ms.localizationpriority: medium
ms.author: dansimp
ms.topic: article
ms.date: 04/30/2018
@@ -57,7 +57,7 @@ See [Dialer codes to launch diagnostic applications](https://docs.microsoft.com/
## PerSimSettings
-Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, select **Add**, and then configure the folowing settings.
+Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, select **Add**, and then configure the following settings.
### Critical
diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md
index 67158a5f0c..f556155dc7 100644
--- a/windows/configuration/wcd/wcd-messaging.md
+++ b/windows/configuration/wcd/wcd-messaging.md
@@ -81,7 +81,7 @@ SyncSender | Specify a value for SyncSender that is greater than 3 characters bu
## PerSimSettings
-Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click **Add**, and then configure the folowing settings.
+Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click **Add**, and then configure the following settings.
### AllowMmsIfDataIsOff
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 2e88d65395..ef3757e12b 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -35,7 +35,7 @@
### [Windows 10 deployment test lab](windows-10-poc.md)
#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+#### [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
### [Plan for Windows 10 deployment](planning/index.md)
#### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md)
@@ -267,33 +267,8 @@
### Use Windows Server Update Services
#### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md)
#### [Enable FoD and language pack updates in Windows Update](update/fod-and-lang-packs.md)
-### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
+### [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](update/waas-manage-updates-configuration-manager.md)
### [Manage device restarts after updates](update/waas-restart.md)
### [Manage additional Windows Update settings](update/waas-wu-settings.md)
### [Determine the source of Windows updates](update/windows-update-sources.md)
-## Windows Analytics
-### [Windows Analytics overview](update/windows-analytics-overview.md)
-### [Windows Analytics in the Azure Portal](update/windows-analytics-azure-portal.md)
-### [Windows Analytics and privacy](update/windows-analytics-privacy.md)
-### Upgrade Readiness
-#### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
-#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
-#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
-#### Get started
-##### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
-##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
-#### Use Upgrade Readiness
-##### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
-##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
-##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
-##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
-##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
-##### [Step 4: Monitor deployment](upgrade/upgrade-readiness-monitor-deployment.md)
-##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
-##### [Targeting a new operating system version](upgrade/upgrade-readiness-target-new-OS.md)
-### Device Health
-#### [Device Health overview](update/device-health-monitor.md)
-#### [Get started with Device Health](update/device-health-get-started.md)
-#### [Using Device Health](update/device-health-using.md)
-### [Enrolling devices in Windows Analytics](update/windows-analytics-get-started.md)
-### [Troubleshooting Windows Analytics and FAQ](update/windows-analytics-FAQ-troubleshooting.md)
+
diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md
index e6a2e1664a..2389ae314a 100644
--- a/windows/deployment/change-history-for-deploy-windows-10.md
+++ b/windows/deployment/change-history-for-deploy-windows-10.md
@@ -1,160 +1,161 @@
----
-title: Change history for Deploy Windows 10 (Windows 10)
-description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile.
-ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Change history for Deploy Windows 10
-This topic lists new and updated topics in the [Deploy Windows 10](https://docs.microsoft.com/windows/deployment) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
-
-## April 2018
-
-New or changed topic | Description
---- | ---
-[Install VAMT](volume-activation/install-vamt.md) | Updated the instructions and link for SQL Server Express.
-
-## November 2017
-
-New or changed topic | Description
--- | ---
- [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) | Added warning that you should not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml.
-
-## RELEASE: Windows 10, version 1709
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated the edition upgrade table to include all other Windows 10 editions previously not on the list and the supported upgrade methods for upgrade path. |
-| [Fonts missing after upgrading to Windows 10](windows-10-missing-fonts.md)| New article about the set of fonts that have moved from being included in the default installation image to being included in Optional Features. This article includes the steps for adding these optional font features.|
-
-## July 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| The table of contents for deployment topics was reorganized.
-
-## June 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) | New |
-
-## April 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | Updated: The "refresh" and "replace" procedures were swapped in order so that it would not be necessary to save and restore VMs. Also a missing step was added to include the State migration point role. |
-| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)| Updated with minor fixes. |
-| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)| Updated child topics under this node to include new feature and user interface changes. |
-| [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)| Added a table summarizing connection scenarios under the Enable data sharing topic. |
-
-
-## RELEASE: Windows 10, version 1703
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](/windows/configuration/index).
-
-
-## March 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [What's new in Windows 10 deployment](deploy-whats-new.md) | New |
-| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. |
-| [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. |
-| [Convert MBR partition to GPT](mbr-to-gpt.md) | New |
-
-## February 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | Multiple topics updated, name changed from Upgrade Analytics to Upgrade Readiness, and other content updates. |
-| [USMT Requirements](usmt/usmt-requirements.md) | Updated: Vista support removed and other minor changes |
-| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated structure and content |
-| [Upgrade Analytics deployment script](upgrade/upgrade-readiness-deployment-script.md) | Added as a separate page from get started |
-| [Use Upgrade Analytics to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) | Updated with links to new content and information about the target OS setting |
-| [Upgrade Analytics - Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md) | New |
-| [Upgrade Analytics - Step 1: Identify important apps](upgrade/upgrade-readiness-identify-apps.md) | Updated topic title and content |
-| [Upgrade Analytics - Step 2: Resolve app and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | New |
-| [Upgrade Analytics - Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) | New |
-| [Upgrade Analytics - Additional insights](upgrade/upgrade-readiness-additional-insights.md) | New |
-
-
-## January 2017
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New |
-| [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New |
-| [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | New |
-| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | New (previously published in other topics) |
-| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) | New (previously published in Hardware Dev Center on MSDN) |
-| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant) | New (previously published in Hardware Dev Center on MSDN) |
-| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works) | New (previously published in Hardware Dev Center on MSDN) |
-| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) | New (previously published in Hardware Dev Center on MSDN) |
-| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc) | New (previously published in Hardware Dev Center on MSDN) |
-| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package) | New (previously published in Hardware Dev Center on MSDN) |
-| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app) | New (previously published in Hardware Dev Center on MSDN) |
-| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line) | New (previously published in Hardware Dev Center on MSDN) |
-| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog |
-| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
-| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
-
-
-## October 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) | New |
-
-## September 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New |
-| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated with prerequisites for site discovery |
-| [Resolve application and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | Updated with app status info for Ready For Windows |
-| [Review site discovery](upgrade/upgrade-readiness-additional-insights.md) | New |
-
-## RELEASE: Windows 10, version 1607
-
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
-
-- [Provisioning packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages.md)
-- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md)
-- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md)
-
-## August 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated with reboot requirements |
-
-## July 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Manage Windows upgrades with Upgrade Analytics](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | New |
-
-## June 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New |
-| [User State Migration Tool Technical Reference](usmt/usmt-technical-reference.md) | Updated support statement for Office 2016 |
-| [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) | New |
-
-## May 2016
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) | New |
-
-## December 2015
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Activate using Key Management Service](volume-activation/activate-using-key-management-service-vamt.md) | Updated |
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated |
-
-## November 2015
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | New |
-
-## Related topics
-- [Change history for Plan for Windows 10 deployment](/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment)
-- [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
-- [Change history for Device Security](/windows/device-security/change-history-for-device-security)
-- [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
+---
+title: Change history for Deploy Windows 10 (Windows 10)
+description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile.
+ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Change history for Deploy Windows 10
+This topic lists new and updated topics in the [Deploy Windows 10](https://docs.microsoft.com/windows/deployment) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
+
+## April 2018
+
+New or changed topic | Description
+--- | ---
+[Install VAMT](volume-activation/install-vamt.md) | Updated the instructions and link for SQL Server Express.
+
+## November 2017
+
+New or changed topic | Description
+-- | ---
+ [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) | Added warning that you should not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml.
+
+## RELEASE: Windows 10, version 1709
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated the edition upgrade table to include all other Windows 10 editions previously not on the list and the supported upgrade methods for upgrade path. |
+| [Fonts missing after upgrading to Windows 10](windows-10-missing-fonts.md)| New article about the set of fonts that have moved from being included in the default installation image to being included in Optional Features. This article includes the steps for adding these optional font features.|
+
+## July 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| The table of contents for deployment topics was reorganized.
+
+## June 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) | New |
+
+## April 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) | Updated: The "refresh" and "replace" procedures were swapped in order so that it would not be necessary to save and restore VMs. Also a missing step was added to include the State migration point role. |
+| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)| Updated with minor fixes. |
+| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)| Updated child topics under this node to include new feature and user interface changes. |
+| [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)| Added a table summarizing connection scenarios under the Enable data sharing topic. |
+
+
+## RELEASE: Windows 10, version 1703
+The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](/windows/configuration/index).
+
+
+## March 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [What's new in Windows 10 deployment](deploy-whats-new.md) | New |
+| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. |
+| [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. |
+| [Convert MBR partition to GPT](mbr-to-gpt.md) | New |
+
+## February 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | Multiple topics updated, name changed from Upgrade Analytics to Upgrade Readiness, and other content updates. |
+| [USMT Requirements](usmt/usmt-requirements.md) | Updated: Vista support removed and other minor changes |
+| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated structure and content |
+| [Upgrade Analytics deployment script](upgrade/upgrade-readiness-deployment-script.md) | Added as a separate page from get started |
+| [Use Upgrade Analytics to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) | Updated with links to new content and information about the target OS setting |
+| [Upgrade Analytics - Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md) | New |
+| [Upgrade Analytics - Step 1: Identify important apps](upgrade/upgrade-readiness-identify-apps.md) | Updated topic title and content |
+| [Upgrade Analytics - Step 2: Resolve app and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | New |
+| [Upgrade Analytics - Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) | New |
+| [Upgrade Analytics - Additional insights](upgrade/upgrade-readiness-additional-insights.md) | New |
+
+
+## January 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New |
+| [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New |
+| [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) | New |
+| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | New (previously published in other topics) |
+| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) | New (previously published in Hardware Dev Center on MSDN) |
+| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant) | New (previously published in Hardware Dev Center on MSDN) |
+| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works) | New (previously published in Hardware Dev Center on MSDN) |
+| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) | New (previously published in Hardware Dev Center on MSDN) |
+| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc) | New (previously published in Hardware Dev Center on MSDN) |
+| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package) | New (previously published in Hardware Dev Center on MSDN) |
+| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app) | New (previously published in Hardware Dev Center on MSDN) |
+| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line) | New (previously published in Hardware Dev Center on MSDN) |
+| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog |
+| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
+| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
+
+
+## October 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) | New |
+
+## September 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New |
+| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated with prerequisites for site discovery |
+| [Resolve application and driver issues](upgrade/upgrade-readiness-resolve-issues.md) | Updated with app status info for Ready For Windows |
+| [Review site discovery](upgrade/upgrade-readiness-additional-insights.md) | New |
+
+## RELEASE: Windows 10, version 1607
+
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
+
+- [Provisioning packages for Windows 10](/windows/configuration/provisioning-packages/provisioning-packages.md)
+- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md)
+- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md)
+
+## August 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated with reboot requirements |
+
+## July 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Manage Windows upgrades with Upgrade Analytics](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) | New |
+
+## June 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New |
+| [User State Migration Tool Technical Reference](usmt/usmt-technical-reference.md) | Updated support statement for Office 2016 |
+| [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) | New |
+
+## May 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) | New |
+
+## December 2015
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Activate using Key Management Service](volume-activation/activate-using-key-management-service-vamt.md) | Updated |
+| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated |
+
+## November 2015
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | New |
+
+## Related topics
+- [Change history for Plan for Windows 10 deployment](/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment)
+- [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
+- [Change history for Device Security](/windows/device-security/change-history-for-device-security)
+- [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index cd4f1c3e5b..e43658fdb5 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -25,6 +25,10 @@ This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with
>* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
>* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key.
+>[!IMPORTANT]
+>An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0.
+>Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled".
+
## Firmware-embedded activation key
To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index 1ec460b74e..750119724d 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -1,78 +1,79 @@
----
-title: Deploy Windows 10 with Microsoft 365
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: Concepts about deploying Windows 10 for M365
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-keywords: deployment, automate, tools, configure, mdt, sccm, M365
-ms.localizationpriority: medium
-audience: itpro
author: greg-lindsay
-ms.topic: article
-ms.collection: M365-modern-desktop
----
-
-# Deploy Windows 10 with Microsoft 365
-
-**Applies to**
-
-- Windows 10
-
-This topic provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
-
-[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [M365 Enterprise poster](#m365-enterprise-poster) for an overview.
-
-For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including:
-
-- Windows Autopilot
-- In-place upgrade
-- Deploying Windows 10 upgrade with Intune
-- Deploying Windows 10 upgrade with System Center Configuration Manager
-- Deploying a computer refresh with System Center Configuration Manager
-
-## Free trial account
-
-**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center**
-
-From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services.
-In the Enterprise Suites section of the service offerings, you will find Microsoft 365 E3 and Microsoft 365 E5 tiles.
-There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles.
-
-**If you do not already have a Microsoft services subscription**
-
-You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below.
-
->[!NOTE]
->If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected.
-
-1. [Obtain a free M365 trial](https://docs.microsoft.com/office365/admin/try-or-buy-microsoft-365).
-2. Check out the [Microsoft 365 deployment advisor](https://portal.office.com/onboarding/Microsoft365DeploymentAdvisor#/).
-3. Also check out the [Windows Analytics deployment advisor](https://portal.office.com/onboarding/WindowsAnalyticsDeploymentAdvisor#/). This advisor will walk you through deploying [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), [Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), and [Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
-
-That's all there is to it!
-
-Examples of these two deployment advisors are shown below.
-
-- [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example)
-- [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example)
-
-## Microsoft 365 deployment advisor example
-
-
-## Windows Analytics deployment advisor example
-
-
-## M365 Enterprise poster
-
-[](https://aka.ms/m365eposter)
-
-## Related Topics
-
-[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
-[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
-
-
-
+---
+title: Deploy Windows 10 with Microsoft 365
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description: Concepts about deploying Windows 10 for M365
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, mdt, sccm, M365
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+ms.collection: M365-modern-desktop
+---
+
+# Deploy Windows 10 with Microsoft 365
+
+**Applies to**
+
+- Windows 10
+
+This topic provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
+
+[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [M365 Enterprise poster](#m365-enterprise-poster) for an overview.
+
+For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including:
+
+- Windows Autopilot
+- In-place upgrade
+- Deploying Windows 10 upgrade with Intune
+- Deploying Windows 10 upgrade with Microsoft Endpoint Configuration Manager
+- Deploying a computer refresh with Microsoft Endpoint Configuration Manager
+
+## Free trial account
+
+**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center**
+
+From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services.
+In the Enterprise Suites section of the service offerings, you will find Microsoft 365 E3 and Microsoft 365 E5 tiles.
+There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles.
+
+**If you do not already have a Microsoft services subscription**
+
+You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below.
+
+>[!NOTE]
+>If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected.
+
+1. [Obtain a free M365 trial](https://docs.microsoft.com/office365/admin/try-or-buy-microsoft-365).
+2. Check out the [Microsoft 365 deployment advisor](https://portal.office.com/onboarding/Microsoft365DeploymentAdvisor#/).
+3. Also check out the [Windows Analytics deployment advisor](https://portal.office.com/onboarding/WindowsAnalyticsDeploymentAdvisor#/). This advisor will walk you through deploying [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), [Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), and [Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
+
+That's all there is to it!
+
+Examples of these two deployment advisors are shown below.
+
+- [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example)
+- [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example)
+
+## Microsoft 365 deployment advisor example
+
+
+## Windows Analytics deployment advisor example
+
+
+## M365 Enterprise poster
+
+[](https://aka.ms/m365eposter)
+
+## Related Topics
+
+[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
+
+
+
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index e512fb6f51..0ee0a6d5b3 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -49,7 +49,7 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic
## Windows 10 servicing and support
-- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon!
+- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
@@ -157,7 +157,7 @@ For more information, see the following guides:
- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
## Troubleshooting guidance
diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
index f02158277d..f9d1c1f252 100644
--- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -45,7 +45,7 @@ When preparing for the computer replace, you need to create a folder in which to
2. Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
``` powershell
New-Item -Path E:\MigData -ItemType directory
- New-SmbShare ?Name MigData$ ?Path E:\MigData
+ New-SmbShare -Name MigData$ -Path E:\MigData
-ChangeAccess EVERYONE
icacls E:\MigData /grant '"MDT_BA":(OI)(CI)(M)'
```
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index b1a4515898..03899e149e 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -111,11 +111,7 @@ If you want to automate enabling the TPM chip as part of the deployment process,
### Add tools from Dell
-The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named *cctk.exe*. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:
-
-```dos
-cctk.exe --tpm=on --valsetuppwd=Password1234
-```
+[Dell Comnmand | Configure](https://www.dell.com/support/article/us/en/04/sln311302/dell-command-configure) provides a Command Line Interface and a Graphical User Interface.
### Add tools from HP
diff --git a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index cb8f13a66b..9fdf3cf07d 100644
--- a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -1,75 +1,76 @@
----
-title: Add a Windows 10 operating system image using Configuration Manager (Windows 10)
-description: Operating system images are typically the production image used for deployment throughout the organization.
-ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: image, deploy, distribute
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Add a Windows 10 operating system image using Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft System Center 2012 R2 Configuration Manager, and how to distribute the image to a distribution point.
-
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard, as the distribution point. CM01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). Our image is named REFW10-X64-001.wim. For details on building this image, please see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
-
-1. Using File Explorer, in the **E:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
-
-2. Copy the REFW10-X64-001.wim file to the **E:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
-
- 
-
- Figure 17. The Windows 10 image copied to the Sources folder structure.
-
-3. Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**.
-
-4. On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim and click **Next**.
-
-5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM and click **Next** twice, and then click **Close**.
-
-6. Distribute the operating system image to the CM01 distribution point by right-clicking the Windows 10 Enterprise x64 RTM operating system image and selecting **Distribute Content**.
-
-7. In the Distribute Content Wizard, add the CM01 distribution point.
-
-8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed. You also can review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
-
- 
-
- Figure 18. The distributed Windows 10 Enterprise x64 RTM package.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+---
+title: Add a Windows 10 operating system image using Configuration Manager (Windows 10)
+description: Operating system images are typically the production image used for deployment throughout the organization.
+ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: image, deploy, distribute
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Add a Windows 10 operating system image using Configuration Manager
+
+
+**Applies to**
+
+- Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
+
+Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft Endpoint Configuration Manager, and how to distribute the image to a distribution point.
+
+For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard, as the distribution point. CM01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). Our image is named REFW10-X64-001.wim. For details on building this image, please see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
+
+1. Using File Explorer, in the **E:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
+
+2. Copy the REFW10-X64-001.wim file to the **E:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
+
+ 
+
+ Figure 17. The Windows 10 image copied to the Sources folder structure.
+
+3. Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**.
+
+4. On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim and click **Next**.
+
+5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM and click **Next** twice, and then click **Close**.
+
+6. Distribute the operating system image to the CM01 distribution point by right-clicking the Windows 10 Enterprise x64 RTM operating system image and selecting **Distribute Content**.
+
+7. In the Distribute Content Wizard, add the CM01 distribution point.
+
+8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed. You also can review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
+
+ 
+
+ Figure 18. The distributed Windows 10 Enterprise x64 RTM package.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 19e35e39b3..04dc40cc6e 100644
--- a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -24,8 +24,8 @@ ms.topic: article
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
diff --git a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index 975eb2a944..77ad24c498 100644
--- a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
-description: Microsoft System Center 2012 R2 Configuration Manager can create custom Windows Preinstallation Environment (Windows PE) boot images with extra features.
+description: In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features.
ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
ms.reviewer:
manager: laurawi
@@ -23,10 +23,10 @@ ms.topic: article
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
+In Microsoft Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
diff --git a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 19ffe1ae2a..f19cafa1a4 100644
--- a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Create an app to deploy with Windows 10 using Configuration Manager
-description: Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
+description: Microsoft Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
ms.reviewer:
manager: laurawi
@@ -23,10 +23,10 @@ ms.topic: article
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in System Center 2012 R2 Configuration Manager that you later configure the task sequence to use.
+Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Configuration Manager that you later configure the task sequence to use.
For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
index 71be4f7e4b..6b8c2133f1 100644
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -1,76 +1,77 @@
----
-title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
-description: In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences.
-ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deployment, image, UEFI, task sequence
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10 using PXE and Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001.
-
-For the purposes of this topic, we will use two additional machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-1. Start the PC0001 machine. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
-
- 
-
- Figure 31. PXE booting PC0001.
-
-2. On the **Welcome to the Task Sequence Wizard** page, type in the password **Passw0rd!** and click **Next**.
-
-3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
-
-4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
-
-
-
-Figure 32. Typing in the computer name.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
+---
+title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
+description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences.
+ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deployment, image, UEFI, task sequence
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10 using PXE and Configuration Manager
+
+
+**Applies to**
+
+- Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
+
+In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001.
+
+For the purposes of this topic, we will use two additional machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+1. Start the PC0001 machine. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
+
+ 
+
+ Figure 31. PXE booting PC0001.
+
+2. On the **Welcome to the Task Sequence Wizard** page, type in the password **Passw0rd!** and click **Next**.
+
+3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
+
+4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
+
+
+
+Figure 32. Typing in the computer name.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
index b933315e49..06c696d2c7 100644
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
@@ -1,114 +1,115 @@
----
-title: Deploy Windows 10 with System Center 2012 R2 Configuration Manager (Windows 10)
-description: If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10.
-ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deployment, custom, boot
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10 with System Center 2012 R2 Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
-
-For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-
-
-Figure 1. The machines used in this topic.
-
-## In this section
-
-
-- [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-- [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
-
-- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-- [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
-
-- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-- [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-## Components of Configuration Manager operating system deployment
-
-
-Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
-
-- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
-
-- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
-
-- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
-
-- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
-
-- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
-
-- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
-
-- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
-
-- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
-
-- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
-
- **Note** Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
-
-
-
-## See also
-
-
-- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-
-- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)
-
-- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-
-- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-
-- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-
-- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx)
-
-- [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803)
-
-
-
-
-
-
-
-
-
+---
+title: Deploy Windows 10 with Microsoft Endpoint Configuration Manager (Windows 10)
+description: If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10.
+ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deployment, custom, boot
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10 with Microsoft Endpoint Configuration Manager
+
+
+**Applies to**
+
+- Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+
+If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
+
+For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+
+
+Figure 1. The machines used in this topic.
+
+## In this section
+
+
+- [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+
+- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+- [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+
+- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+- [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
+
+- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+- [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+## Components of Configuration Manager operating system deployment
+
+
+Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
+
+- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
+
+- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
+
+- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
+
+- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
+
+- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
+
+- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
+
+- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
+
+- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
+
+- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
+
+ **Note** Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
+
+
+
+## See also
+
+
+- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
+
+- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)
+
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+
+- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+
+- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
+
+- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx)
+
+- [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index bad7159496..99f2e1edd9 100644
--- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -23,10 +23,10 @@ ms.topic: article
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
+This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft Endpoint Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
diff --git a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
index e09b542e0e..c1461b27eb 100644
--- a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
@@ -23,14 +23,14 @@ ms.topic: article
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature.
+In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft Endpoint Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature.
For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-To monitor an operating system deployment conducted through System Center 2012 R2 Configuration Manager, you will use the Deployment Workbench in MDT as follows:
+To monitor an operating system deployment conducted through Microsoft Endpoint Configuration Manager, you will use the Deployment Workbench in MDT as follows:
1. On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh).
diff --git a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 2951abbc45..4ccb6b76ea 100644
--- a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -23,10 +23,10 @@ ms.topic: article
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
+This topic will walk you through the process of integrating Microsoft Endpoint Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
## Prerequisites
@@ -45,7 +45,7 @@ In this topic, you will use an existing Configuration Manager server structure t
- A Configuration Manager console folder structure for packages has been created.
-- System Center 2012 R2 Configuration Manager SP1 and any additional Windows 10 prerequisites are installed.
+- Microsoft Endpoint Configuration Manager and any additional Windows 10 prerequisites are installed.
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01 and CM01 are both members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
diff --git a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index f807d3f0e8..d9550467e3 100644
--- a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -23,12 +23,12 @@ ms.topic: article
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
+This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft Endpoint Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
-A computer refresh with System Center 2012 R2 Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps:
+A computer refresh with Microsoft Endpoint Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps:
1. Data and settings are backed up locally in a backup folder.
diff --git a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 45d77e1fa1..b00e32b337 100644
--- a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -1,240 +1,241 @@
----
-title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
-description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager.
-ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: upgrade, install, installation, replace computer, setup
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10.
-
-For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
-
-## Create a replace task sequence
-
-
-1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
-
-2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**.
-
-3. On the **General** page, assign the following settings and click **Next**:
-
- * Task sequence name: Replace Task Sequence
-
- * Task sequence comments: USMT backup only
-
-4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
-
-5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**.
-
-6. On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
-
-7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**.
-
-8. On the **Summary** page, review the details and then click **Next**.
-
-9. On the **Confirmation** page, click **Finish**.
-
-10. Review the Replace Task Sequence.
- >[!NOTE]
- >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
-
-
-
-Figure 34. The backup-only task sequence (named Replace Task Sequence).
-
-## Associate the new machine with the old computer
-
-
-This section walks you through the process of associating a blank machine, PC0006, with an old machine, PC0004, for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine.
-
-1. Make a note of the PC0006 machine's MAC Address. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96.
-
-2. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Devices**, and then select **Import Computer Information**.
-
-3. On the **Select Source** page, select **Import single computer** and click **Next**.
-
-4. On the **Single Computer** page, use the following settings and then click **Next**:
-
- * Computer Name: PC0006
-
- * MAC Address: <the mac address from step 1>
-
- * Source Computer: PC0004
-
- 
-
- Figure 35. Creating the computer association between PC0004 and PC0006.
-
-5. On the **User Accounts** page, select **Capture and restore all user accounts** and click **Next**.
-
-6. On the **Data Preview** page, click **Next**.
-
-7. On the **Choose Target Collection** page, select the **Install Windows 10 Enterprise x64** collection and click **Next**.
-
-8. On the **Summary** page, click **Next**, and then click **Close**.
-
-9. Select the **User State Migration** node and review the computer association in the right pane.
-
-10. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not.
-
-11. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0006 machine in the collection. You might have to update and refresh the collection again.
-
-## Create a device collection and add the PC0004 computer
-
-
-1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings.
-
- * General
-
- * Name: USMT Backup (Replace)
-
- * Limited Collection: All Systems
-
- * Membership rules:
-
- * Direct rule
-
- * Resource Class: System Resource
-
- * Attribute Name: Name
-
- * Value: PC0004
-
- * Select **Resources**
-
- * Select **PC0004**
-
-2. Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection.
-
-## Create a new deployment
-
-
-Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
-
-- General
-
- - Collection: USMT Backup (Replace)
-
-- Deployment Settings
-
- - Purpose: Available
-
- - Make available to the following: Only Configuration Manager Clients
-
-- Scheduling
-
- - <default>
-
-- User Experience
-
- - <default>
-
-- Alerts
-
- - <default>
-
-- Distribution Points
-
- - <default>
-
-## Verify the backup
-
-
-This section assumes that you have a machine named PC0004 with the Configuration Manager 2012 client installed.
-
-1. Start the PC0004 machine, and using the Control Panel, start the Configuration Manager applet.
-
-2. In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
-
- >[!NOTE]
- >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
-
-3. Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**.
-
-4. In the **Software Center** dialog box, click **INSTALL OPERATING SYSTEM**.
-
-5. Allow the Replace Task Sequence to complete. It should only take about five minutes.
-
-6. On CM01, in the **D:\\MigData** folder, verify that a folder was created containing the USMT backup.
-
-7. Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
-
- >[!NOTE]
- >It may take a few minutes for the user state store location to be populated.
-
-
-
-## Deploy the new computer
-
-
-1. Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
-
- * Password: P@ssw0rd
-
- * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
-
-2. The setup now starts and does the following:
-
- * Installs the Windows 10 operating system
-
- * Installs the Configuration Manager client
-
- * Joins it to the domain
-
- * Installs the applications
-
- * Restores the PC0004 backup
-
-When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
+---
+title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
+description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager.
+ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, install, installation, replace computer, setup
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
+
+
+**Applies to**
+
+- Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
+
+In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10.
+
+For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
+
+## Create a replace task sequence
+
+
+1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
+
+2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**.
+
+3. On the **General** page, assign the following settings and click **Next**:
+
+ * Task sequence name: Replace Task Sequence
+
+ * Task sequence comments: USMT backup only
+
+4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
+
+5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**.
+
+6. On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
+
+7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**.
+
+8. On the **Summary** page, review the details and then click **Next**.
+
+9. On the **Confirmation** page, click **Finish**.
+
+10. Review the Replace Task Sequence.
+ >[!NOTE]
+ >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
+
+
+
+Figure 34. The backup-only task sequence (named Replace Task Sequence).
+
+## Associate the new machine with the old computer
+
+
+This section walks you through the process of associating a blank machine, PC0006, with an old machine, PC0004, for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine.
+
+1. Make a note of the PC0006 machine's MAC Address. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96.
+
+2. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Devices**, and then select **Import Computer Information**.
+
+3. On the **Select Source** page, select **Import single computer** and click **Next**.
+
+4. On the **Single Computer** page, use the following settings and then click **Next**:
+
+ * Computer Name: PC0006
+
+ * MAC Address: <the mac address from step 1>
+
+ * Source Computer: PC0004
+
+ 
+
+ Figure 35. Creating the computer association between PC0004 and PC0006.
+
+5. On the **User Accounts** page, select **Capture and restore all user accounts** and click **Next**.
+
+6. On the **Data Preview** page, click **Next**.
+
+7. On the **Choose Target Collection** page, select the **Install Windows 10 Enterprise x64** collection and click **Next**.
+
+8. On the **Summary** page, click **Next**, and then click **Close**.
+
+9. Select the **User State Migration** node and review the computer association in the right pane.
+
+10. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not.
+
+11. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0006 machine in the collection. You might have to update and refresh the collection again.
+
+## Create a device collection and add the PC0004 computer
+
+
+1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings.
+
+ * General
+
+ * Name: USMT Backup (Replace)
+
+ * Limited Collection: All Systems
+
+ * Membership rules:
+
+ * Direct rule
+
+ * Resource Class: System Resource
+
+ * Attribute Name: Name
+
+ * Value: PC0004
+
+ * Select **Resources**
+
+ * Select **PC0004**
+
+2. Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection.
+
+## Create a new deployment
+
+
+Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
+
+- General
+
+ - Collection: USMT Backup (Replace)
+
+- Deployment Settings
+
+ - Purpose: Available
+
+ - Make available to the following: Only Configuration Manager Clients
+
+- Scheduling
+
+ - <default>
+
+- User Experience
+
+ - <default>
+
+- Alerts
+
+ - <default>
+
+- Distribution Points
+
+ - <default>
+
+## Verify the backup
+
+
+This section assumes that you have a machine named PC0004 with the Configuration Manager 2012 client installed.
+
+1. Start the PC0004 machine, and using the Control Panel, start the Configuration Manager applet.
+
+2. In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
+
+ >[!NOTE]
+ >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+3. Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**.
+
+4. In the **Software Center** dialog box, click **INSTALL OPERATING SYSTEM**.
+
+5. Allow the Replace Task Sequence to complete. It should only take about five minutes.
+
+6. On CM01, in the **D:\\MigData** folder, verify that a folder was created containing the USMT backup.
+
+7. Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
+
+ >[!NOTE]
+ >It may take a few minutes for the user state store location to be populated.
+
+
+
+## Deploy the new computer
+
+
+1. Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
+
+ * Password: P@ssw0rd
+
+ * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
+
+2. The setup now starts and does the following:
+
+ * Installs the Windows 10 operating system
+
+ * Installs the Configuration Manager client
+
+ * Joins it to the domain
+
+ * Installs the applications
+
+ * Restores the PC0004 backup
+
+When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index e9b3ec607d..adca6df481 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -28,10 +28,10 @@ Windows 10 upgrade options are discussed and information is provided about plann
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
-|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
-|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
+|[Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index 9530728934..4414c1e8fe 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -10,8 +10,7 @@ metadata:
ms.localizationpriority: high
author: greg-lindsay
ms.author: greglin
- manager: elizapo
- ms.date: 02/09/2018
+ manager: laurawi
ms.topic: article
ms.devlang: na
@@ -35,11 +34,11 @@ sections:
image:
src: https://docs.microsoft.com/media/common/i_upgrade.svg
title: Windows as a service
- - href: update/windows-analytics-overview
- html:
Windows Analytics provides deep insights into your Windows 10 environment.
Windows Autopilot greatly simplifies deployment of Windows devices
image:
- src: https://docs.microsoft.com/media/common/i_investigate.svg
- title: Windows Analytics
+ src: https://docs.microsoft.com/media/common/i_delivery.svg
+ title: Windows Autopilot
- title:
- items:
- type: markdown
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index b4ff72ee14..5dc23ca66e 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -1,456 +1,458 @@
----
-title: MBR2GPT
-description: How to use the MBR2GPT tool to convert MBR partitions to GPT
-keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.date: 02/13/2018
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.topic: article
----
-
-# MBR2GPT.EXE
-
-**Applies to**
-- Windows 10
-
-## Summary
-
-**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option.
-
->MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later.
->The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version.
-
-See the following video for a detailed description and demonstration of MBR2GPT.
-
-
-
-You can use MBR2GPT to:
-
-- Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT.
-- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them.
-- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
-- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT provided that your task sequence uses Windows PE version 1703 or later.
-
-Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion.
-
->[!IMPORTANT]
->After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode. Make sure that your device supports UEFI before attempting to convert the disk.
-
-## Disk Prerequisites
-
-Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that:
-- The disk is currently using MBR
-- There is enough space not occupied by partitions to store the primary and secondary GPTs:
- - 16KB + 2 sectors at the front of the disk
- - 16KB + 1 sector at the end of the disk
-- There are at most 3 primary partitions in the MBR partition table
-- One of the partitions is set as active and is the system partition
-- The disk does not have any extended/logical partition
-- The BCD store on the system partition contains a default OS entry pointing to an OS partition
-- The volume IDs can be retrieved for each volume which has a drive letter assigned
-- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
-
-If any of these checks fails, the conversion will not proceed and an error will be returned.
-
-## Syntax
-
-
-
-### Options
-
-| Option | Description |
-|----|-------------|
-|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. |
-|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. |
-|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
-|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
-|/map:\=\| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexidecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
-|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it cannot be reused. In this case, a new ESP is created by shrinking the OS partition.|
-
-## Examples
-
-### Validation example
-
-In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**.
-
-```
-X:\>mbr2gpt /validate /disk:0
-MBR2GPT: Attempting to validate disk 0
-MBR2GPT: Retrieving layout of disk
-MBR2GPT: Validating layout, disk sector size is: 512
-MBR2GPT: Validation completed successfully
-```
-
-### Conversion example
-
-In the following example:
-
-1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
-2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type.
-2. The MBR2GPT tool is used to convert disk 0.
-3. The DiskPart tool displays that disk 0 is now using the GPT format.
-4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
-5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
-
->As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
-
-```
-X:\>DiskPart
-
-Microsoft DiskPart version 10.0.15048.0
-
-Copyright (C) Microsoft Corporation.
-On computer: MININT-K71F13N
-
-DISKPART> list volume
-
- Volume ### Ltr Label Fs Type Size Status Info
- ---------- --- ----------- ----- ---------- ------- --------- --------
- Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy
- Volume 1 C System Rese NTFS Partition 499 MB Healthy
- Volume 2 D Windows NTFS Partition 58 GB Healthy
- Volume 3 E Recovery NTFS Partition 612 MB Healthy Hidden
-
-DISKPART> select volume 2
-
-Volume 2 is the selected volume.
-
-DISKPART> list partition
-
- Partition ### Type Size Offset
- ------------- ---------------- ------- -------
- Partition 1 Primary 499 MB 1024 KB
-* Partition 2 Primary 58 GB 500 MB
- Partition 3 Recovery 612 MB 59 GB
-
-DISKPART> detail partition
-
-Partition 2
-Type : 07
-Hidden: No
-Active: No
-Offset in Bytes: 524288000
-
- Volume ### Ltr Label Fs Type Size Status Info
- ---------- --- ----------- ----- ---------- ------- --------- --------
-* Volume 2 D Windows NTFS Partition 58 GB Healthy
-
-DISKPART> exit
-
-Leaving DiskPart...
-
-X:\>mbr2gpt /convert /disk:0
-
-MBR2GPT will now attempt to convert disk 0.
-If conversion is successful the disk can only be booted in GPT mode.
-These changes cannot be undone!
-
-MBR2GPT: Attempting to convert disk 0
-MBR2GPT: Retrieving layout of disk
-MBR2GPT: Validating layout, disk sector size is: 512 bytes
-MBR2GPT: Trying to shrink the system partition
-MBR2GPT: Trying to shrink the OS partition
-MBR2GPT: Creating the EFI system partition
-MBR2GPT: Installing the new boot files
-MBR2GPT: Performing the layout conversion
-MBR2GPT: Migrating default boot entry
-MBR2GPT: Adding recovery boot entry
-MBR2GPT: Fixing drive letter mapping
-MBR2GPT: Conversion completed successfully
-MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode!
-
-X:\>DiskPart
-
-Microsoft DiskPart version 10.0.15048.0
-
-Copyright (C) Microsoft Corporation.
-On computer: MININT-K71F13N
-
-DISKPART> list disk
-
- Disk ### Status Size Free Dyn Gpt
- -------- ------------- ------- ------- --- ---
- Disk 0 Online 60 GB 0 B *
-
-DISKPART> select disk 0
-
-Disk 0 is now the selected disk.
-
-DISKPART> list volume
-
- Volume ### Ltr Label Fs Type Size Status Info
- ---------- --- ----------- ----- ---------- ------- --------- --------
- Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy
- Volume 1 D Windows NTFS Partition 58 GB Healthy
- Volume 2 C System Rese NTFS Partition 499 MB Healthy Hidden
- Volume 3 FAT32 Partition 100 MB Healthy Hidden
- Volume 4 E Recovery NTFS Partition 612 MB Healthy Hidden
-
-DISKPART> select volume 1
-
-Volume 1 is the selected volume.
-
-DISKPART> list partition
-
- Partition ### Type Size Offset
- ------------- ---------------- ------- -------
- Partition 1 Recovery 499 MB 1024 KB
-* Partition 2 Primary 58 GB 500 MB
- Partition 4 System 100 MB 59 GB
- Partition 3 Recovery 612 MB 59 GB
-
-DISKPART> detail partition
-
-Partition 2
-Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
-Hidden : No
-Required: No
-Attrib : 0000000000000000
-Offset in Bytes: 524288000
-
- Volume ### Ltr Label Fs Type Size Status Info
- ---------- --- ----------- ----- ---------- ------- --------- --------
-* Volume 1 D Windows NTFS Partition 58 GB Healthy
-```
-
-## Specifications
-
-### Disk conversion workflow
-
-The following steps illustrate high-level phases of the MBR-to-GPT conversion process:
-
-1. Disk validation is performed.
-2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist.
-3. UEFI boot files are installed to the ESP.
-4. GPT metatdata and layout information is applied.
-5. The boot configuration data (BCD) store is updated.
-6. Drive letter assignments are restored.
-
-### Creating an EFI system partition
-
-For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules:
-
-1. The existing MBR system partition is reused if it meets these requirements:
- a. It is not also the OS or Windows Recovery Environment partition.
- b. It is at least 100MB (or 260MB for 4K sector size disks) in size.
- c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.
- d. The conversion is not being performed from the full OS. In this case, the existing MBR system partition is in use and cannot be repurposed.
-2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32.
-
-If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified.
-
->[!IMPORTANT]
->If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
-
-### Partition type mapping and partition attributes
-
-Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules:
-
-1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b).
-2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used.
-3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac).
-4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7).
-
-In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set:
-- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001)
-- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000)
-
-For more information about partition types, see:
-- [GPT partition types](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx)
-- [MBR partition types](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx)
-
-
-### Persisting drive letter assignments
-
-The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage.
-
-The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following:
-
-1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk.
-2. If found, set the value to be the new unique ID, obtained after the layout conversion.
-3. If the new unique ID cannot be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment.
-
-## Troubleshooting
-
-The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions do not translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs).
-
-### Logs
-
-Four log files are created by the MBR2GPT tool:
-
-- diagerr.xml
-- diagwrn.xml
-- setupact.log
-- setuperr.log
-
-These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. Note: The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory.
-
-The default location for all these log files in Windows PE is **%windir%**.
-
-### Interactive help
-
-To view a list of options available when using the tool, type **mbr2gpt /?**
-
-The following text is displayed:
-
-```
-
-C:\> mbr2gpt /?
-
-Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk.
-
-MBR2GPT.exe /validate|convert [/disk:] [/logs:] [/map:=] [/allowFullOS]
-
-Where:
-
- /validate
- - Validates that the selected disk can be converted
- without performing the actual conversion.
-
- /convert
- - Validates that the selected disk can be converted
- and performs the actual conversion.
-
- /disk:
- - Specifies the disk number of the disk to be processed.
- If not specified, the system disk is processed.
-
- /logs:
- - Specifies the directory for logging. By default logs
- are created in the %windir% directory.
-
- /map:=
- - Specifies the GPT partition type to be used for a
- given MBR partition type not recognized by Windows.
- Multiple /map switches are allowed.
-
- /allowFullOS
- - Allows the tool to be used from the full Windows
- environment. By default, this tool can only be used
- from the Windows Preinstallation Environment.
-```
-
-### Return codes
-
-MBR2GPT has the following associated return codes:
-
-| Return code | Description |
-|----|-------------|
-|0| Conversion completed successfully.|
-|1| Conversion was canceled by the user.|
-|2| Conversion failed due to an internal error.|
-|3| Conversion failed due to an initialization error.|
-|4| Conversion failed due to invalid command-line parameters. |
-|5| Conversion failed due to error reading the geometry and layout of the selected disk.|
-|6| Conversion failed because one or more volumes on the disk is encrypted.|
-|7| Conversion failed because the geometry and layout of the selected disk do not meet requirements.|
-|8| Conversion failed due to error while creating the EFI system partition.|
-|9| Conversion failed due to error installing boot files.|
-|10| Conversion failed due to error while applying GPT layout.|
-|100| Conversion to GPT layout succeeded, but some boot configuration data entries could not be restored.|
-
-
-### Determining the partition type
-
-You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown:
-
-
-```
-PS C:\> Get-Disk | ft -Auto
-
-Number Friendly Name Serial Number HealthStatus OperationalStatus Total Size Partition Style
------- ------------- ------------- ------------ ----------------- ---------- ---------------
-0 MTFDDAK256MAM-1K1 13050928F47C Healthy Online 238.47 GB MBR
-1 ST1000DM003-1ER162 Z4Y3GD8F Healthy Online 931.51 GB GPT
-```
-
-You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example:
-
-
-
-
-If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:
-
-```
-X:\>DiskPart
-
-Microsoft DiskPart version 10.0.15048.0
-
-Copyright (C) Microsoft Corporation.
-On computer: MININT-K71F13N
-
-DISKPART> list disk
-
- Disk ### Status Size Free Dyn Gpt
- -------- ------------- ------- ------- --- ---
- Disk 0 Online 238 GB 0 B
- Disk 1 Online 931 GB 0 B *
-```
-
-In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT.
-
-
-## Known issue
-
-### MBR2GPT.exe cannot run in Windows PE
-
-When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues:
-
-**Issue 1** When you run the MBR2GPT.exe command, the process exits without converting the drive.
-
-**Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there is no output from the tool.
-
-**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a System Center Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781.
-
-#### Cause
-
-This issue occurs because in Windows 10, version 1903 and later versions, MBR2GPT.exe requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later.
-
-#### Workaround
-
-To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. To do this, follow these steps:
-
-1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image).
-
-2. Copy the ReAgent files and the ReAgent localization files from the Window 10, version 1903 ADK source folder to the mounted WIM.
-
- For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window:
-
- **Command 1:**
- ```cmd
- copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32"
- ```
- This command copies three files:
-
- * ReAgent.admx
- * ReAgent.dll
- * ReAgent.xml
-
- **Command 2:**
- ```cmd
- copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us"
- ```
- This command copies two files:
- * ReAgent.adml
- * ReAgent.dll.mui
-
- > [!NOTE]
- > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language.
-
-3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image).
-
-
-## Related topics
-
-[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
- [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+---
+title: MBR2GPT
+description: How to use the MBR2GPT tool to convert MBR partitions to GPT
+keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.date: 02/13/2018
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.topic: article
+---
+
+# MBR2GPT.EXE
+
+**Applies to**
+- Windows 10
+
+## Summary
+
+**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option.
+
+>MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later.
+>The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version.
+
+See the following video for a detailed description and demonstration of MBR2GPT.
+
+
+
+You can use MBR2GPT to:
+
+- Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT.
+- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them.
+- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
+- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT provided that your task sequence uses Windows PE version 1703 or later.
+
+Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion.
+
+>[!IMPORTANT]
+>After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode. Make sure that your device supports UEFI before attempting to convert the disk.
+
+## Disk Prerequisites
+
+Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that:
+- The disk is currently using MBR
+- There is enough space not occupied by partitions to store the primary and secondary GPTs:
+ - 16KB + 2 sectors at the front of the disk
+ - 16KB + 1 sector at the end of the disk
+- There are at most 3 primary partitions in the MBR partition table
+- One of the partitions is set as active and is the system partition
+- The disk does not have any extended/logical partition
+- The BCD store on the system partition contains a default OS entry pointing to an OS partition
+- The volume IDs can be retrieved for each volume which has a drive letter assigned
+- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
+
+If any of these checks fails, the conversion will not proceed and an error will be returned.
+
+## Syntax
+
+
+
+### Options
+
+| Option | Description |
+|----|-------------|
+|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. |
+|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. |
+|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
+|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
+|/map:\=\| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
+|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it cannot be reused. In this case, a new ESP is created by shrinking the OS partition.|
+
+## Examples
+
+### Validation example
+
+In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**.
+
+```
+X:\>mbr2gpt /validate /disk:0
+MBR2GPT: Attempting to validate disk 0
+MBR2GPT: Retrieving layout of disk
+MBR2GPT: Validating layout, disk sector size is: 512
+MBR2GPT: Validation completed successfully
+```
+
+### Conversion example
+
+In the following example:
+
+1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
+2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type.
+2. The MBR2GPT tool is used to convert disk 0.
+3. The DiskPart tool displays that disk 0 is now using the GPT format.
+4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
+5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+
+>As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
+
+```
+X:\>DiskPart
+
+Microsoft DiskPart version 10.0.15048.0
+
+Copyright (C) Microsoft Corporation.
+On computer: MININT-K71F13N
+
+DISKPART> list volume
+
+ Volume ### Ltr Label Fs Type Size Status Info
+ ---------- --- ----------- ----- ---------- ------- --------- --------
+ Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy
+ Volume 1 C System Rese NTFS Partition 499 MB Healthy
+ Volume 2 D Windows NTFS Partition 58 GB Healthy
+ Volume 3 E Recovery NTFS Partition 612 MB Healthy Hidden
+
+DISKPART> select volume 2
+
+Volume 2 is the selected volume.
+
+DISKPART> list partition
+
+ Partition ### Type Size Offset
+ ------------- ---------------- ------- -------
+ Partition 1 Primary 499 MB 1024 KB
+* Partition 2 Primary 58 GB 500 MB
+ Partition 3 Recovery 612 MB 59 GB
+
+DISKPART> detail partition
+
+Partition 2
+Type : 07
+Hidden: No
+Active: No
+Offset in Bytes: 524288000
+
+ Volume ### Ltr Label Fs Type Size Status Info
+ ---------- --- ----------- ----- ---------- ------- --------- --------
+* Volume 2 D Windows NTFS Partition 58 GB Healthy
+
+DISKPART> exit
+
+Leaving DiskPart...
+
+X:\>mbr2gpt /convert /disk:0
+
+MBR2GPT will now attempt to convert disk 0.
+If conversion is successful the disk can only be booted in GPT mode.
+These changes cannot be undone!
+
+MBR2GPT: Attempting to convert disk 0
+MBR2GPT: Retrieving layout of disk
+MBR2GPT: Validating layout, disk sector size is: 512 bytes
+MBR2GPT: Trying to shrink the system partition
+MBR2GPT: Trying to shrink the OS partition
+MBR2GPT: Creating the EFI system partition
+MBR2GPT: Installing the new boot files
+MBR2GPT: Performing the layout conversion
+MBR2GPT: Migrating default boot entry
+MBR2GPT: Adding recovery boot entry
+MBR2GPT: Fixing drive letter mapping
+MBR2GPT: Conversion completed successfully
+MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode!
+
+X:\>DiskPart
+
+Microsoft DiskPart version 10.0.15048.0
+
+Copyright (C) Microsoft Corporation.
+On computer: MININT-K71F13N
+
+DISKPART> list disk
+
+ Disk ### Status Size Free Dyn Gpt
+ -------- ------------- ------- ------- --- ---
+ Disk 0 Online 60 GB 0 B *
+
+DISKPART> select disk 0
+
+Disk 0 is now the selected disk.
+
+DISKPART> list volume
+
+ Volume ### Ltr Label Fs Type Size Status Info
+ ---------- --- ----------- ----- ---------- ------- --------- --------
+ Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy
+ Volume 1 D Windows NTFS Partition 58 GB Healthy
+ Volume 2 C System Rese NTFS Partition 499 MB Healthy Hidden
+ Volume 3 FAT32 Partition 100 MB Healthy Hidden
+ Volume 4 E Recovery NTFS Partition 612 MB Healthy Hidden
+
+DISKPART> select volume 1
+
+Volume 1 is the selected volume.
+
+DISKPART> list partition
+
+ Partition ### Type Size Offset
+ ------------- ---------------- ------- -------
+ Partition 1 Recovery 499 MB 1024 KB
+* Partition 2 Primary 58 GB 500 MB
+ Partition 4 System 100 MB 59 GB
+ Partition 3 Recovery 612 MB 59 GB
+
+DISKPART> detail partition
+
+Partition 2
+Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
+Hidden : No
+Required: No
+Attrib : 0000000000000000
+Offset in Bytes: 524288000
+
+ Volume ### Ltr Label Fs Type Size Status Info
+ ---------- --- ----------- ----- ---------- ------- --------- --------
+* Volume 1 D Windows NTFS Partition 58 GB Healthy
+```
+
+## Specifications
+
+### Disk conversion workflow
+
+The following steps illustrate high-level phases of the MBR-to-GPT conversion process:
+
+1. Disk validation is performed.
+2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist.
+3. UEFI boot files are installed to the ESP.
+4. GPT metatdata and layout information is applied.
+5. The boot configuration data (BCD) store is updated.
+6. Drive letter assignments are restored.
+
+### Creating an EFI system partition
+
+For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules:
+
+1. The existing MBR system partition is reused if it meets these requirements:
+ a. It is not also the OS or Windows Recovery Environment partition.
+ b. It is at least 100MB (or 260MB for 4K sector size disks) in size.
+ c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.
+ d. The conversion is not being performed from the full OS. In this case, the existing MBR system partition is in use and cannot be repurposed.
+2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32.
+
+If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified.
+
+>[!IMPORTANT]
+>If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
+
+### Partition type mapping and partition attributes
+
+Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules:
+
+1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b).
+2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used.
+3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac).
+4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7).
+
+In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set:
+- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001)
+- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000)
+
+For more information about partition types, see:
+- [GPT partition types](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx)
+- [MBR partition types](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx)
+
+
+### Persisting drive letter assignments
+
+The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage.
+
+The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following:
+
+1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk.
+2. If found, set the value to be the new unique ID, obtained after the layout conversion.
+3. If the new unique ID cannot be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment.
+
+## Troubleshooting
+
+The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions do not translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs).
+
+### Logs
+
+Four log files are created by the MBR2GPT tool:
+
+- diagerr.xml
+- diagwrn.xml
+- setupact.log
+- setuperr.log
+
+These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. Note: The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory.
+
+The default location for all these log files in Windows PE is **%windir%**.
+
+### Interactive help
+
+To view a list of options available when using the tool, type **mbr2gpt /?**
+
+The following text is displayed:
+
+```
+
+C:\> mbr2gpt /?
+
+Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk.
+
+MBR2GPT.exe /validate|convert [/disk:] [/logs:] [/map:=] [/allowFullOS]
+
+Where:
+
+ /validate
+ - Validates that the selected disk can be converted
+ without performing the actual conversion.
+
+ /convert
+ - Validates that the selected disk can be converted
+ and performs the actual conversion.
+
+ /disk:
+ - Specifies the disk number of the disk to be processed.
+ If not specified, the system disk is processed.
+
+ /logs:
+ - Specifies the directory for logging. By default logs
+ are created in the %windir% directory.
+
+ /map:=
+ - Specifies the GPT partition type to be used for a
+ given MBR partition type not recognized by Windows.
+ Multiple /map switches are allowed.
+
+ /allowFullOS
+ - Allows the tool to be used from the full Windows
+ environment. By default, this tool can only be used
+ from the Windows Preinstallation Environment.
+```
+
+### Return codes
+
+MBR2GPT has the following associated return codes:
+
+| Return code | Description |
+|----|-------------|
+|0| Conversion completed successfully.|
+|1| Conversion was canceled by the user.|
+|2| Conversion failed due to an internal error.|
+|3| Conversion failed due to an initialization error.|
+|4| Conversion failed due to invalid command-line parameters. |
+|5| Conversion failed due to error reading the geometry and layout of the selected disk.|
+|6| Conversion failed because one or more volumes on the disk is encrypted.|
+|7| Conversion failed because the geometry and layout of the selected disk do not meet requirements.|
+|8| Conversion failed due to error while creating the EFI system partition.|
+|9| Conversion failed due to error installing boot files.|
+|10| Conversion failed due to error while applying GPT layout.|
+|100| Conversion to GPT layout succeeded, but some boot configuration data entries could not be restored.|
+
+
+### Determining the partition type
+
+You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown:
+
+
+```
+PS C:\> Get-Disk | ft -Auto
+
+Number Friendly Name Serial Number HealthStatus OperationalStatus Total Size Partition Style
+------ ------------- ------------- ------------ ----------------- ---------- ---------------
+0 MTFDDAK256MAM-1K1 13050928F47C Healthy Online 238.47 GB MBR
+1 ST1000DM003-1ER162 Z4Y3GD8F Healthy Online 931.51 GB GPT
+```
+
+You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example:
+
+
+
+
+If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:
+
+```
+X:\>DiskPart
+
+Microsoft DiskPart version 10.0.15048.0
+
+Copyright (C) Microsoft Corporation.
+On computer: MININT-K71F13N
+
+DISKPART> list disk
+
+ Disk ### Status Size Free Dyn Gpt
+ -------- ------------- ------- ------- --- ---
+ Disk 0 Online 238 GB 0 B
+ Disk 1 Online 931 GB 0 B *
+```
+
+In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT.
+
+
+## Known issue
+
+### MBR2GPT.exe cannot run in Windows PE
+
+When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues:
+
+**Issue 1** When you run the MBR2GPT.exe command, the process exits without converting the drive.
+
+**Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there is no output from the tool.
+
+**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Endpoint Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781.
+
+#### Cause
+
+This issue occurs because in Windows 10, version 1903 and later versions, MBR2GPT.exe requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later.
+
+#### Workaround
+
+To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. To do this, follow these steps:
+
+1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image).
+
+2. Copy the ReAgent files and the ReAgent localization files from the Window 10, version 1903 ADK source folder to the mounted WIM.
+
+ For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window:
+
+ **Command 1:**
+ ```cmd
+ copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32"
+ ```
+ This command copies three files:
+
+ * ReAgent.admx
+ * ReAgent.dll
+ * ReAgent.xml
+
+ **Command 2:**
+ ```cmd
+ copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us"
+ ```
+ This command copies two files:
+ * ReAgent.adml
+ * ReAgent.dll.mui
+
+ > [!NOTE]
+ > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language.
+
+3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image).
+
+
+## Related topics
+
+[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
+ [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
+ [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md
index fe7585f713..abb5e94fdb 100644
--- a/windows/deployment/planning/act-technical-reference.md
+++ b/windows/deployment/planning/act-technical-reference.md
@@ -34,7 +34,7 @@ Use Windows Analytics to get:
- Guidance and insights into application and driver compatibility issues, with suggested fixes
- Data driven application rationalization tools
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
-- Data export to commonly used software deployment tools, including System Center Configuration Manager
+- Data export to commonly used software deployment tools, including Microsoft Endpoint Configuration Manager
The Windows Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
index 6c41d9922c..08cbf28585 100644
--- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
+++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
@@ -55,7 +55,7 @@ The following scenarios are examples of situations in which Windows To Go worksp
- **Managed free seating.** The employee is issued a Windows To Go drive that is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return they use the same USB flash drive but use a different host computer.
-- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including System Center Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee’s credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity.
+- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Endpoint Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee’s credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity.
- **Travel lightly.** In this situation you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC.
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index 72439c1132..4b2d75eae6 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -57,7 +57,7 @@ The features described below are no longer being actively developed, and might b
|Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 |
|Trusted Platform Module (TPM): TPM.msc and TPM Remote Management | To be replaced by a new user interface in a future release. | 1709 |
|Trusted Platform Module (TPM) Remote Management |This functionality within TPM.msc will be migrated to a new user interface. | 1709 |
-|Windows Hello for Business deployment that uses System Center Configuration Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
+|Windows Hello for Business deployment that uses Microsoft Endpoint Configuration Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
|Windows PowerShell 2.0 | Applications and components should be migrated to PowerShell 5.0+. | 1709 |
|Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 |
|Tile Data Layer | The [Tile Data Layer](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 |
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index 8716d1b086..764b8d1ca5 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -1,134 +1,136 @@
----
-title: Windows 10 Enterprise FAQ for IT pros (Windows 10)
-description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
-keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 08/18/2017
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows 10 Enterprise: FAQ for IT professionals
-
-Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
-
-## Download and requirements
-
-### Where can I download Windows 10 Enterprise?
-
-If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx).
-
-### What are the system requirements?
-
-For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752).
-
-### What are the hardware requirements for Windows 10?
-
-Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information.
-
-### Can I evaluate Windows 10 Enterprise?
-
-Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features.
-
-## Drivers and compatibility
-
-### Where can I find drivers for my devices for Windows 10 Enterprise?
-
-For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action.
-- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10.
-- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability.
-- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft System Center Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include:
- - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html)
- - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
- - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984)
- - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html)
-
-### Where can I find out if an application or device is compatible with Windows 10?
-
-Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793) on the Windows IT Center.
-
-### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10?
-
-[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/WindowsForBusiness/Windows-Analytics).
-
-## Administration and deployment
-
-### Which deployment tools support Windows 10?
-
-Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10.
-- [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment.
-- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [System Center Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center.
-- The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center.
-
-### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
-
-Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit).
-
-### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
-
-If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
-
-For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10.
-
-## Managing updates
-
-### What is Windows as a service?
-
-The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
-
-### How is servicing different with Windows as a service?
-
-Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
-
-### What are the servicing channels?
-
-To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](/windows/deployment/update/waas-overview#servicing-channels).
-
-### What tools can I use to manage Windows as a service updates?
-
-There are many tools are available. You can choose from these:
-- Windows Update
-- Windows Update for Business
-- Windows Server Update Services
-- System Center Configuration Manager
-
-For more information on pros and cons for these tools, see [Servicing Tools](/windows/deployment/update/waas-overview#servicing-tools).
-
-## User experience
-
-### Where can I find information about new features and changes in Windows 10 Enterprise?
-
-For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library.
-
-Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
-
-To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare).
-
-### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1?
-
-Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources.
-
-### How does Windows 10 help people work with applications and data across a variety of devices?
-
-The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include:
-- Start menu is a launching point for access to apps.
-- Universal apps now open in windows instead of full screen.
-- [Multitasking is improved with adjustable Snap](http://blogs.windows.com/bloggingwindows/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged.
-- Tablet Mode to simplify using Windows with a finger or pen by using touch input.
-
-## Help and support
-
-### Where can I ask a question about Windows 10?
-
-Use the following resources for additional information about Windows 10.
-- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
-- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10).
-- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN.
-- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet.
+---
+title: Windows 10 Enterprise FAQ for IT pros (Windows 10)
+description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
+keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 08/18/2017
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows 10 Enterprise: FAQ for IT professionals
+
+Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
+
+## Download and requirements
+
+### Where can I download Windows 10 Enterprise?
+
+If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx).
+
+### What are the system requirements?
+
+For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752).
+
+### What are the hardware requirements for Windows 10?
+
+Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information.
+
+### Can I evaluate Windows 10 Enterprise?
+
+Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features.
+
+## Drivers and compatibility
+
+### Where can I find drivers for my devices for Windows 10 Enterprise?
+
+For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action.
+- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10.
+- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability.
+- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include:
+ - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html)
+ - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
+ - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984)
+ - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html)
+
+### Where can I find out if an application or device is compatible with Windows 10?
+
+Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793) on the Windows IT Center.
+
+### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10?
+
+[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/WindowsForBusiness/Windows-Analytics).
+
+## Administration and deployment
+
+### Which deployment tools support Windows 10?
+
+Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10.
+- [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment.
+- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center.
+- The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center.
+
+### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
+
+Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit).
+
+### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
+
+If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+
+For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10.
+
+## Managing updates
+
+### What is Windows as a service?
+
+The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
+
+### How is servicing different with Windows as a service?
+
+Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
+
+### What are the servicing channels?
+
+To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](/windows/deployment/update/waas-overview#servicing-channels).
+
+### What tools can I use to manage Windows as a service updates?
+
+There are many tools are available. You can choose from these:
+- Windows Update
+- Windows Update for Business
+- Windows Server Update Services
+- Microsoft Endpoint Configuration Manager
+
+For more information on pros and cons for these tools, see [Servicing Tools](/windows/deployment/update/waas-overview#servicing-tools).
+
+## User experience
+
+### Where can I find information about new features and changes in Windows 10 Enterprise?
+
+For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library.
+
+Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
+
+To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare).
+
+### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1?
+
+Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources.
+
+### How does Windows 10 help people work with applications and data across a variety of devices?
+
+The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include:
+- Start menu is a launching point for access to apps.
+- Universal apps now open in windows instead of full screen.
+- [Multitasking is improved with adjustable Snap](http://blogs.windows.com/bloggingwindows/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged.
+- Tablet Mode to simplify using Windows with a finger or pen by using touch input.
+
+## Help and support
+
+### Where can I ask a question about Windows 10?
+
+Use the following resources for additional information about Windows 10.
+- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
+- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10).
+- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN.
+- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet.
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index afbf7e0553..484aa23fe6 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -50,7 +50,7 @@ For System Center Configuration Manager, Windows 10 support is offered with var
> [!NOTE]
-> Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require System Center Configuration Manager current branch for supported management.
+> Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require Microsoft Endpoint Configuration Manager current branch for supported management.
For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
@@ -58,7 +58,7 @@ For more details about System Center Configuration Manager support for Windows
## Management tools
-In addition to System Center Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](https://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store.
+In addition to Microsoft Endpoint Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](https://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store.
No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these to support new features.
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
index 40c4c03e81..77f7cfe31a 100644
--- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
+++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
@@ -165,7 +165,7 @@ Yes, if the user has administrator permissions they can self-provision a Windows
## How can Windows To Go be managed in an organization?
-Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like System Center Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network.
+Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like Microsoft Endpoint Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network.
## How do I make my computer boot from USB?
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
index d162aa111d..23fefc02cd 100644
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ b/windows/deployment/planning/windows-to-go-overview.md
@@ -56,7 +56,7 @@ The applications that you want to use from the Windows To Go workspace should be
## Prepare for Windows To Go
-Enterprises install Windows on a large group of computers either by using configuration management software (such as System Center Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
+Enterprises install Windows on a large group of computers either by using configuration management software (such as Microsoft Endpoint Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) to review deployment tools available.
diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md
index c46b4cc2da..8f73fcdfd0 100644
--- a/windows/deployment/update/PSFxWhitepaper.md
+++ b/windows/deployment/update/PSFxWhitepaper.md
@@ -72,7 +72,7 @@ numerous advantages:
Historically, download sizes of Windows 10 quality updates (Windows 10, version 1803 and older supported versions of Windows 10) are optimized by using express download. Express download is optimized such that updating Windows 10 systems will download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version.
-For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as “express download files”) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), System Center Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
+For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as “express download files”) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
The flip side of express download is that the size of PSF files can be very large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they are unable to leverage express updates to keep their fleet of devices running Windows 10 up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it is only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly.
diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md
deleted file mode 100644
index e716dce744..0000000000
--- a/windows/deployment/update/device-health-get-started.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: Get started with Device Health
-description: Configure Device Health in Azure Monitor to monitor health (such as crashes and sign-in failures) for your Windows 10 devices.
-keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers, azure
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.reviewer:
-manager: laurawi
-ms.pagetype: deploy
-audience: itpro
-author: jaimeo
-ms.author: jaimeo
-ms.localizationpriority: medium
-ms.collection: M365-analytics
-ms.topic: article
----
-
-# Get started with Device Health
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-This topic explains the steps necessary to configure your environment for Windows Analytics Device Health.
-
-- [Get started with Device Health](#get-started-with-device-health)
- - [Add the Device Health solution to your Azure subscription](#add-the-device-health-solution-to-your-azure-subscription)
- - [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics)
- - [Use Device Health to monitor device crashes, app crashes, sign-in failures, and more](#use-device-health-to-monitor-device-crashes-app-crashes-sign-in-failures-and-more)
- - [Related topics](#related-topics)
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-## Add the Device Health solution to your Azure subscription
-
-Device Health is offered as a *solution* which you link to a new or existing [Azure Monitor](https://azure.microsoft.com/services/monitor/) *workspace* within your Azure *subscription*. To configure this, follows these steps:
-
-1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal.
-
- >[!NOTE]
- > Device Health is included at no additional cost with Windows 10 [education and enterprise licensing](https://docs.microsoft.com/windows/deployment/update/device-health-monitor#device-health-licensing). An Azure subscription is required for managing and using Device Health, but no Azure charges are expected to accrue to the subscription as a result of using Device Health.
-
-2. In the Azure portal select **Create a resource**, search for "Device Health", and then select **Create** on the **Device Health** solution.
- 
-
- 
-3. Choose an existing workspace or create a new workspace to host the Device Health solution.
- 
- - If you are using other Windows Analytics solutions (Upgrade Readiness or Update Compliance) you should add Device Health to the same workspace.
- - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started:
- - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
- - For the resource group setting select **Create new** and use the same name you chose for your new workspace.
- - For the location setting, choose the Azure region where you would prefer the data to be stored.
- - For the pricing tier select **per GB**.
-4. Now that you have selected a workspace, you can go back to the Device Health blade and select **Create**.
- 
-5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.DeviceHealth' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear.
- 
- - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Device Health solution.
- - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour.
-
-## Enroll devices in Windows Analytics
-
-Once you've added Device Health to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Device Health there are two key steps for enrollment:
-1. Deploy your CommercialID (from Device Health Settings page) to your Windows 10 devices (typically using Group Policy or similar)
-2. Ensure the Windows Diagnostic Data setting on devices is set to Enhanced or Full (typically using Group Policy or similar). Note that the [Limit Enhanced](https://docs.microsoft.com/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields) policy can substantially reduce the amount of diagnostic data shared with Microsoft while still allowing Device Health to function.
-For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
-
-After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it may take 48-72 hours for the first data to appear in the solution. Until then, the Device Health tile will show "Performing Assessment."
-
-## Use Device Health to monitor device crashes, app crashes, sign-in failures, and more
-
-Once your devices are enrolled and data is flowing, you can move on to [Using Device Health](device-health-using.md).
-
->[!NOTE]
->You can remove the Device Health solution from your workspace if you no longer want to monitor your organization’s devices. Windows diagnostic data will continue to be shared with Microsoft as normal as per the diagnostic data sharing settings on the devices.
-
-## Related topics
-
-[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md)
-For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics)
diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md
deleted file mode 100644
index 7274c2a591..0000000000
--- a/windows/deployment/update/device-health-monitor.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Monitor the health of devices with Device Health
-ms.reviewer:
-manager: laurawi
-description: You can use Device Health in Azure Portal to monitor the frequency and causes of crashes and misbehaving apps on devices in your network.
-keywords: oms, operations management suite, wdav, health, log analytics
-ms.prod: w10
-ms.mktglfcycl: deploy
-
-ms.localizationpriority: medium
-ms.pagetype: deploy
-audience: itpro
-author: jaimeo
-ms.author: jaimeo
-ms.collection: M365-analytics
-ms.topic: article
----
-
-# Monitor the health of devices with Device Health
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-## Introduction
-
-Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by providing IT with reports on some common problems the end users might experience so they can be proactively remediated, thus saving support calls and improving end-user productivity.
-
-Like Upgrade Readiness and Update Compliance, Device Health is a solution built in Azure Portal, a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This release is free for customers to try and will not incur charges on your Azure Portal workspace for its use. For more information about Azure Portal, see [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) .
-
-Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health from the Azure Portal solution gallery and add it to your Azure Portal workspace. Device Health requires enhanced diagnostic data, so you might need to implement this policy if you've not already done so.
-
-
-Device Health provides the following:
-
-- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced
-- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes
-- Notification of Windows Information Protection misconfigurations that send prompts to end users
-- No need for new complex customized infrastructure, thanks to cloud-connected access using Windows 10 diagnostic data
-
-See the following topics in this guide for detailed information about configuring and using the Device Health solution:
-
-- [Get started with Device Health](device-health-get-started.md): How to add Device Health to your environment.
-- [Using Device Health](device-health-using.md): How to begin using Device Health.
-
-An overview of the processes used by the Device Health solution is provided below.
-
-## Device Health licensing
-
-Use of Windows Analytics Device Health requires one of the following licenses:
-
-- Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance
-- Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5)
-- Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5)
-- Windows VDA E3 or E5 per-device or per-user subscription
-
-
-You don't have to install Windows 10 Enterprise on a per-device basis--you just need enough of the above licenses for the number of devices using Device Health.
-
-
-## Device Health architecture
-
-The Device Health architecture and data flow is summarized by the following five-step process:
-
-
-
-**(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
-**(2)** Diagnostic data is analyzed by the Microsoft Telemetry Service.
-**(3)** Diagnostic data is pushed from the Microsoft Telemetry Service to your Azure Portal workspace.
-**(4)** Diagnostic data is available in the Device Health solution.
-**(5)** You are now able to proactively monitor Device Health issues in your environment.
-
-These steps are illustrated in following diagram:
-
- [](images/analytics-architecture.png)
-
->[!NOTE]
->This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
-
-
-
-
-## Related topics
-
-[Get started with Device Health](device-health-get-started.md)
-
-[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md)
-
-For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics)
diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md
deleted file mode 100644
index 2bdfae2338..0000000000
--- a/windows/deployment/update/device-health-using.md
+++ /dev/null
@@ -1,319 +0,0 @@
----
-title: Using Device Health
-ms.reviewer:
-manager: laurawi
-description: Explains how to begin using Device Health.
-ms.prod: w10
-ms.mktglfcycl: deploy
-keywords: oms, operations management suite, wdav, health, log analytics
-
-ms.pagetype: deploy
-author: jaimeo
-ms.author: jaimeo
-ms.localizationpriority: medium
-ms.collection: M365-analytics
-ms.topic: article
----
-
-# Using Device Health
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-This section describes how to use Device Health to monitor devices deployed on your network and troubleshoot the causes if they crash.
-
-
-Device Health provides IT Pros with reports on some common problems that users might experience so that they can be proactively remediated. This decreases support calls and improves productivity.
-
-Device Health provides the following benefits:
-
-- Identification of devices that crash frequently and therefore might need to be rebuilt or replaced
-- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes
-- Notification of Windows Information Protection misconfigurations that send prompts to end users
-
-
->[!NOTE]
->Information is refreshed daily so that health status can be monitored. Changes will be displayed about 24-48 hours after their occurrence, so you always have a recent snapshot of your devices.
-
-In Azure Portal, the aspects of a solution's dashboard are usually divided into blades. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through queries. Perspectives are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow.
-
-
-## Device Reliability
-
-- [Frequently crashing devices](#frequently-crashing-devices)
-- [Driver-induced OS crashes](#driver-induced-crashes)
-
-
-
-### Frequently Crashing Devices
-
-This middle blade in Device Reliability displays the devices that have crashed the most often in the last week. This can help you identify unhealthy devices that might need to be rebuilt or replaced.
-
-See the following example:
-
-
-
-
-Clicking the header of the Frequently Crashing Devices blade opens a reliability perspective view, where you can filter data (by using filters in the left pane), see trends, and compare to commercial averages:
-
-
-
-"Commercial averages" here refers to data collected from deployments with a mix of operating system versions and device models that is similar to yours. If your crash rate is higher, there are opportunities for improvement, for example by moving to newer driver versions.
-
-Notice the filters in the left pane; they allow you to filter the crash rate shown to a particular operating system version, device model, or other parameter.
-
->[!NOTE]
->Use caution when interpreting results filtered by model or operating system version. This is very useful for troubleshooting, but might not be accurate for *comparisons* because the crashes displayed could be of different types. The overall goal for working with crash data is to ensure that most devices have the same driver versions and that the version has a low crash rate.
-
->[!TIP]
->Once you've applied a filter (for example setting OSVERSION=1607) you will see the query in the text box change to append the filter (for example, with “(OSVERSION=1607)”). To undo the filter, remove that part of the query in the text box and click the search button to the right of the text box to run the adjusted query.”
-
-
-If you click through a particular device from the view blade or from the Device Reliability perspective, it will take you to the Crash History perspective for that device.
-
-
-
-This displays device records sorted by date and crash details by failure ID, also sorted by date. In this view are a number of useful items:
-
-- Crash history records by date, aggregated by Failure ID. The Failure ID is an internal number that is used to group crashes that are related to each other. Eventually over time, you can use the Failure ID to provide additional info. If a crash was caused by driver, some driver fields will also be populated.
-
-- StopCode: this is hex value that would be displayed on a bluescreen if you were looking directly at the affected device.
-
-- Count: the number times that particular Failure ID has occurred on that specific device *on that date*.
-
-
-
-
-### Driver-induced crashes
-
-This blade (on the right) displays drivers that have caused the most devices to crash in the last two weeks. If your crash rate is high, you can reduce the overall operating system crashes in your deployment by upgrading those drivers with a high crash rate.
-
-
-
-
-Clicking a listed driver on the Driver-Induced OS Crashes blade opens a driver perspective view, which shows the details for the responsible driver, trends and commercial averages for that driver, and alternative versions of the driver.
-
-
-
-
-The driver version table can help you determine whether deploying a newer version of the driver might help you reduce the crash rate. In the example shown above, the most commonly installed driver version (19.15.1.5) has a crash rate of about one-half of one percent--this is low, so this driver is probably fine. However, driver version 19.40.0.3 has a crash rate of almost 20%. If that driver had been widely deployed, updating it would substantially reduce the overall number of crashes in your organization.
-
-
-## App Reliability
-
-The App Reliability report shows you useful data on app usage and behavior so that you can identify apps that are misbehaving and then take steps to resolve the problem.
-
-### App reliability events
-
-The default view includes the **Devices with events** count, which shows the number of devices in your organization that have logged a reliability event for a given app over the last 14 days. A "reliability event" occurs when an app either exits unexpectedly or stops responding. The table also includes a **Devices with Usage** count. This enables you to see how widely used the app was over the same period to put the Devices with Events count into perspective.
-
-
-
-When you click a particular app, the detailed **App reliability** view opens. The first element in the view is the App Information summary:
-
-
-
-This table contains:
-
-- App name
-- Publisher
-- Devices with usage: the number of unique devices that logged any usage of the app
-- Devices with events: the number of unique devices that logged any reliability event for the app
-- % with events: the ratio of "devices with events" to "devices with usage"
-- % with events (commercial average): the ratio of "devices with events" to "devices with usage" in data collected from deployments with a mix of operating system versions and device models that is similar to yours. This can help you decide if a given app is having problems specifically in your environment or more generally in many environments.
-
-#### Trend section
-Following the App Information summary is the trend section:
-
-
-
-With these trend graphs you can more easily detect if an issue is growing, shrinking, or steady. The trend graph on the left shows the number of devices that logged any reliability event for the app. The trend graph on the right shows the ratio of "devices with events" to "devices with usage."
-
-Each graph displays two lines:
-
-- Trailing window: in this line, each day’s value reflects reliability events that occurred in the 14 days leading up to that day. This is useful for gauging the long-term trend with reduced volatility due to weekends and small populations.
-- Single day: Each day’s value reflects reliability events that occurred in a single day. This is useful if an issue is quickly emerging (or being resolved).
-
-#### App and OS versions table
-The next element in the view is the App and OS versions table:
-
-
-
-
-This table breaks out the metrics by combinations of App and OS version. This enables you to identify patterns in that might indicate devices needing an update or configuration change.
-
-For example, if the table shows that a later version of an app is more reliable than an earlier version in your environment, then prioritizing deployment of the later version is likely the best path forward. If you are already running the latest version of the app, but reliability events are increasing, then you might need to do some troubleshooting, or seek support from Microsoft or the app vendor.
-
-By default the table is limited to the most-used version combinations in your environment. To see all version combinations click anywhere in the table.
-
-
-#### Reliability event history table
-
-The next element in the view is the reliability event history table:
-
-
-
-This table shows the most detailed information. Although Device Health is not a debugging tool, the details available in this table can help with troubleshooting by providing the specific devices, versions, and dates of the reliability events.
-
-This view also includes the **Diagnostic Signature** column. This value can be helpful when you are working with product support or troubleshooting on your own. The value (also known as Failure ID or Failure Name) is the same identifier used to summarize crash statistics for Microsoft and partner developers.
-
-The Diagnostic Signature value contains the type of reliability event, error code, DLL name, and function name involved. You can use this information to narrow the scope of troubleshooting. For example, a value like *APPLICATION_HANG_ThreadHang_Contoso-Add-In.dll!GetRegistryValue()* implies that the app stopped responding when Contoso-Add-In was trying to read a registry value. In this case you might prioritize updating or disabling the add-in, or using Process Monitor to identify the registry value it was trying to read, which could lead to a resolution through antivirus exclusions, fixing missing keys, or similar remedies.
-
-
-By default the table is limited to a few recent rows. To see all rows click anywhere in the table.
-
-
-### FAQs and limitations
-
-#### Why does a particular app not appear in the views?
-When we allow reliability events from all processes, the list of apps fills with noisy processes which don't feel like meaningful end-user apps (for example, taskhost.exe or odd-test-thing.exe). In order to draw focus to the apps which matter most to users, App Reliability uses a series of filters to limit what appears in the list. The filter criteria include the following:
-
-- Filter out background processes which have no detected user interaction.
-- Filter out operating system processes which, despite having user interaction, do not feel like apps (for example, Logonui.exe, Winlogon.exe). **Known limitation:** Some processes which may feel like apps are not currently detected as such (and are therefore filtered out as OS processes). These include Explorer.exe, Iexplore.exe, Microsoftedge.exe, and several others.
-- Remove apps which are not widely used in your environment. **Known limitation:** This might result in an app that you consider important being filtered out when that app is not among the 30 most widely used in your environment.
-
-
-We welcome your suggestions and feedback on this filtering process at the [Device Health Tech Community](https://aka.ms/community/DeviceHealth).
-
-#### Why are there multiple names and entries for the same app?
-For example, you might see *Skype for Business*, *‘skype for business’*, and *Lync* listed separately, but you only use *Skype for Business*. Or you might see *MyApp Pro* and *MyApp Professional* listed separately, even though they feel like the same thing.
-
-Apps have many elements of metadata which describe them. These include an Add/Remove programs title (“Contoso Suite 12”), executable file names (“ContosoCRM.exe”), executable display name (“Contoso CRM”), and others. App publishers (and in some cases app re-packagers) set these values. For the most part we leave the data as set by the publisher which can lead to some report splitting. In certain cases we apply transformations to reduce splitting, for example we (by design) convert many values to lower case so that incoming data such as "Contoso CRM" and "CONTOSO CRM" become the same app name for reporting.
-
-
-
-#### Clicking an app in the App Reliability Events blade sometimes results a List view of records instead of the App Reliability view
-To work around this, click the **App Reliability** tab above the results to see the expected view.
-
-
-
-
-#### Clicking "See all…" from the App Reliability Events blade followed by clicking an app from the expanded list results in raw records instead of the App Reliability view
-To work around this, replace all of the text in the Log Search query box with the following:
-
-*DHAppReliability | where AppFileDisplayName == "\"*
-
-For example:
-
-*DHAppReliability | where AppFileDisplayName == "Microsoft Outlook"*
-
-#### Why does the computer name show up as Unknown?
-Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics.](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started) Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates.
-
-## Login Health
-
-Login Health provides reports on Windows login attempts in your environment, including metrics on the login methods being used (such as Windows Hello, face recognition, fingerprint recognition, PIN, or password), the rates and patterns of login success and failure, and the specific reasons logins have failed.
-
-The Login Health blades appear in the Device Health dashboard:
-
-
-
-
-### Login Errors
-The **Login errors** blade displays data on the frequency and type of errors, with statistics on specific errors. They are generally categorized into user-generated (caused by bad input) or non-user-generated (might need IT intervention) errors. Click any individual error to see all instances of the error's occurrence for the specified time period.
-
-### Login Metrics by Type
-The **Login metrics by type** blade shows the success rate for your devices, as well as the success rate for other environments with a mix of operating system versions and device models similar to yours (the **Commercial average success rate**).
-
-In the table (by type) you can gauge how broadly each login type is attempted, the number of devices that prefer the type (most used), and the success rate. If migration from passwords to an alternative such as Hello: PIN is going well, you would see high usage and high success rates for the new type.
-
-Click any of the login types to see detailed login health data for that type:
-
-
-
-This view shows trends over time of usage, preferred credentials, and success rate along with the most frequent errors and frequently failing devices for that login type.
-
-Click a specific login error in this view to see a list of all instances for that error and login type within the specified time range:
-
-
-
-Included in this view are device attributes and error attributes such as the following:
-
-- LogonStatus/LogonSubStatus: Status code for the login attempt
-- SignInFailureReason: Known failure reasons evaluated from status or sub-status
-- SuggestedSignInRemediation: Suggested remediation that was presented to the user at the time of error
-
-The filters in the left pane allow you to filter errors to a particular operating system, device model, or other parameters. Alternatively, clicking the most frequently failing models from the Login Health perspective will take you to a list of error instances filtered to the login type and specified device model within the specified time range.
-
->[!NOTE]
-> Windows Hello: Face authentication errors are not currently included in the login health reports.
-
-
-
-
-## Windows Information Protection
-
-
-Windows Information Protection (WIP) helps protect work data from accidental sharing. Users might be disrupted if WIP rules are not aligned with real work behavior. WIP App Learning shows which apps on which computers are attempting to cross policy boundaries.
-
-For details about deploying WIP policies, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip).
-
-Once you have WIP policies in place, by using the WIP section of Device Health, you can:
-
-- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
-- Tune WIP rules, for example by confirming that certain apps are allowed or disallowed by current policy.
-
-
-
-
-
-Clicking through the **APP LEARNING** tile shows details of app statistics that you can use to explore each incident and update app policies by using AppLocker or WIP AppIDs.
-
-
-
-In this chart view, you can click a particular app listing, which will open additional details on the app in question, including details you need to adjust your Windows Information Protection Policy:
-
-
-
-Here you can copy the WipAppid and use that for adjusting the WIP policy.
-
-## Data model and built-in extensibility
-
-All of the views and blades display slices of the most useful data by using pre-formed queries. You have access to the full set of data collected by Device Health, which means you can construct your own queries to expose any data that is of interest to you. For documentation on working with log searches, see [Find data using log searches](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). This topic section provides information about the data types being populated specifically by Device Health.
-
-### Example queries
-
-You can run these queries from the Azure Portal **Log Search** interface (available at several points in the Device Health interface) by just typing them in. There are few details to be aware of:
-
-- After running a query, make sure to set the date range (which appears upper left after running initial query) to "7 days" to ensure you get data back.
-- If you see the search tutorial dialog appearing frequently, it's likely because you are have read-only access to the Azure Portal workspace. Ask a workspace administrator to grant you "contributor" permissions (which is required for the "completed tutorial" state to persist).
-- If you use the search filters in the left pane, you might notice there is no control to undo a filter selection. To undo a selection, delete the (FilterName="FilterValue") element that is appended to the search query and then click the search button again. For example, after you run a base query of *Type = DHOSReliability KernelModeCrashCount > 0*, a number of filter options appear on the left. If you then filter on **Manufacturer** (for example, by setting *Manufacturer="Microsoft Corporation"* and then clicking **Apply**), the query will change to *Type = DHOSReliability KernelModeCrashCount > 0 (Manufacturer="Microsoft Corporation")*. Delete *(Manufacturer="Microsoft Corporation")* and then click the **search** button again to re-run the query without that filter.
-
-### Device reliability query examples
-
-| Data | Query |
-|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Total devices | Type = DHOSReliability \| measure countdistinct(ComputerID) by Type |
-| Number of devices that have crashed in the last three weeks | Type = DHOSReliability KernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by Type |
-| Compare the percentage of your devices that have not crashed with the percentage of similar devices outside your organization ("similar" here means other commercial devices with the same mix of device models, operating system versions and update levels). | Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices by Type \| Display Table |
-| As above, but sorted by device manufacturer | Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by Manufacturer \| sort NumberDevices desc \| Display Table |
-| As above, but sorted by model | Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by ModelFamily\| sort NumberDevices desc \| Display Table |
-| As above, but sorted by operating system version | Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by OSVersion \| sort NumberDevices desc \| Display Table |
-| Crash rate trending in my organization compared to the commercial average. Each interval shows percentage of devices that crashed at least once in the trailing two weeks | Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices by TimeGenerated \| Display LineChart |
-| Table of devices that have crashed the most in the last two weeks | Type = DHOSReliability KernelModeCrashCount > 0 \| Dedup ComputerID \| select Computer, KernelModeCrashCount \| sort TimeGenerated desc, KernelModeCrashCount desc \| Display Table |
-| Detailed crash records, most recent first | Type = DHOSCrashData \| sort TimeGenerated desc, Computer asc \| display Table |
-| Number of devices that crashed due to drivers | Type = DHDriverReliability DriverKernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by Type |
-| Table of drivers that have caused the most devices to crash | Type = DHDriverReliability DriverKernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by DriverName \| Display Table |
-| Trend of devices crashed by driver by day | \* Type=DHOSCrashData DriverName!="ntkrnlmp.exe" DriverName IN {Type=DHOSCrashData \| measure count() by DriverName |
-| Crashes for different versions of a given driver (replace netwtw04.sys with the driver you want from the previous list). This lets you get an idea of which *versions* of a given driver work best with your devices | Type = DHDriverReliability DriverName="netwtw04.sys" \| Dedup ComputerID \| sort TimeGenerated desc \| measure countdistinct(ComputerID) as InstallCount, sum(map(DriverKernelModeCrashCount,1,10000, 1)) as DevicesCrashed by DriverVersion \| Display Table |
-| Top crashes by FailureID | Type =DHOSCrashData \| measure count() by KernelModeCrashFailureId \| Display Table |
-
-### Windows Information Protection (WIP) App Learning query examples
-
-| Data | Query |
-|------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------|
-| Apps encountering policy boundaries on the most computers (click on an app in the results to see details including computer names) | Type=DHWipAppLearning \| measure countdistinct(ComputerID) as ComputerCount by AppName |
-| Trend of App Learning activity for a given app. Useful for tracking activity before and after a rule change | Type=DHWipAppLearning AppName="MICROSOFT.SKYPEAPP" |
-
-### Exporting data and configuring alerts
-
-Azure Portal enables you to export data to other tools. To do this, in any view that shows **Log Search** just click the **Export** button. Similarly, clicking the **Alert** button will enable you to run a query automatically on a schedule and receive email alerts for particular query results that you set. If you have a PowerBI account, then you will also see a **PowerBI** button that enables you to run a query on a schedule and have the results automatically saved as a PowerBI data set.
-
-
-
-
-## Related topics
-
-[Get started with Device Health](device-health-get-started.md)
-
-For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics)
diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md
index 37ed550405..7e35245a09 100644
--- a/windows/deployment/update/feature-update-mission-critical.md
+++ b/windows/deployment/update/feature-update-mission-critical.md
@@ -19,7 +19,7 @@ ms.topic: article
**Applies to**: Windows 10
-Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the System Center Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
+Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates).
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index d08ff458c4..a81d83a38c 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -41,12 +41,12 @@ Windows as a service provides a new way to think about building, deploying, and
| [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. |
| [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
| [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
-| [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
+| [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
| [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. |
| [Manage additional Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
| [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
>[!TIP]
->Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
+>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709).
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 8996c05986..731828c027 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -17,13 +17,11 @@ ms.topic: article
# Monitor Windows Updates with Update Compliance
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
## Introduction
-Update Compliance is a [Windows Analytics solution](windows-analytics-overview.md) that enables organizations to:
+Update Compliance enables organizations to:
* Monitor security, quality, and feature updates for Windows 10 Professional, Education, and Enterprise editions.
* View a report of device and update issues related to compliance that need attention.
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index aee88e8e01..6bb0bf7519 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -20,7 +20,7 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
+BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
@@ -39,7 +39,7 @@ In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization
## Configure servers for BranchCache
-You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and System Center Configuration Manager.
+You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and Microsoft Endpoint Configuration Manager.
For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](https://technet.microsoft.com/library/jj572990) or [BranchCache Deployment Guide (Windows Server 2016)](https://technet.microsoft.com/windows-server-docs/networking/branchcache/deploy/branchcache-deployment-guide).
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index ae41811326..0c96d3ba90 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -190,7 +190,7 @@ Starting with Windows 10, version 1709, you can set policies to manage preview b
The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
* MDM: **Update/ManagePreviewBuilds**
-* System Center Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy**
+* Microsoft Endpoint Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy**
>[!IMPORTANT]
>This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here:
@@ -273,5 +273,5 @@ When a device running a newer version sees an update available on Windows Update
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index 6d7bf33b2a..9de80024c2 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -24,7 +24,7 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager (when installation of Express Updates is enabled).
+Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Configuration Manager (when installation of Express Updates is enabled).
Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet.
@@ -190,5 +190,5 @@ If you suspect this is the problem, try a Telnet test between two devices on the
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
index d5eab1b3c4..5888c1f3a1 100644
--- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
+++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
@@ -56,7 +56,7 @@ As Table 1 shows, each combination of servicing channel and deployment group is
|  | Build deployment rings for Windows 10 updates (this topic) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index 4d5f0b31bc..9d8afa433e 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -1,6 +1,6 @@
---
title: Integrate Windows Update for Business (Windows 10)
-description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
+description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@@ -21,7 +21,7 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
+You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.
## Integrate Windows Update for Business with Windows Server Update Services
@@ -85,7 +85,7 @@ In this example, the deferral behavior for updates to Office and other non-Windo
>[!NOTE]
> Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner.
-## Integrate Windows Update for Business with System Center Configuration Manager
+## Integrate Windows Update for Business with Microsoft Endpoint Configuration Manager
For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
@@ -109,6 +109,6 @@ For more information, see [Integration with Windows Update for Business in Windo
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md
index 1ebdd76767..da28265e33 100644
--- a/windows/deployment/update/waas-manage-updates-configuration-manager.md
+++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md
@@ -1,6 +1,6 @@
---
-title: Deploy Windows 10 updates via System Center Configuration Manager
-description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10.
+title: Deploy Windows 10 updates via Microsoft Endpoint Configuration Manager
+description: Microsoft Endpoint Configuration Manager provides maximum control over quality and feature updates for Windows 10.
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@@ -11,7 +11,7 @@ manager: laurawi
ms.topic: article
---
-# Deploy Windows 10 updates using System Center Configuration Manager
+# Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager
**Applies to**
@@ -25,21 +25,21 @@ ms.topic: article
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
-System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
+Microsoft Endpoint Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation.
>[!NOTE]
->This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager).
+>This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager).
## Windows 10 servicing dashboard
-The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using System Center Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx).
+The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx).
For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements:
- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods.
-- **Windows Server Update Service (WSUS)**. System Center Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed.
+- **Windows Server Update Service (WSUS)**. Microsoft Endpoint Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed.
- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode.
- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications.
@@ -143,7 +143,7 @@ After you have updated the membership, this new collection will contain all mana
## Use Windows 10 servicing plans to deploy Windows 10 feature updates
-There are two ways to deploy Windows 10 feature updates with System Center Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates.
+There are two ways to deploy Windows 10 feature updates with Microsoft Endpoint Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates.
**To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan**
@@ -160,7 +160,7 @@ There are two ways to deploy Windows 10 feature updates with System Center Confi
>
>
>
- >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for System Center Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx).
+ >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx).
5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**.
@@ -212,10 +212,7 @@ Each time Microsoft releases a new Windows 10 build, it releases a new .iso file
3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 you’re deploying, and then click **Next**.
In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607.
-
- >[!NOTE]
- >System Center Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607.
-
+
4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**.
5. On the **Summary** page, click **Next** to create the package.
@@ -303,11 +300,11 @@ With the task sequence created, you’re ready to deploy it. If you’re using t
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or Deploy Windows 10 updates using System Center Configuration Manager (this topic) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager (this topic) |
## See also
-[Manage Windows as a service using System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service)
+[Manage Windows as a service using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service)
## Related topics
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index e24cc6ff0b..14223dbdc3 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -24,7 +24,7 @@ ms.topic: article
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
-WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
+WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Configuration Manager provides.
When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10.
@@ -272,7 +272,7 @@ For clients that should have their feature updates approved as soon as they’re
Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
> [!WARNING]
-> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows 10 version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actualy want--which can be a problem when the download sizes are very large.
+> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows 10 version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actually want--which can be a problem when the download sizes are very large.
## Manually approve and deploy feature updates
@@ -331,7 +331,7 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows 10 updates using Windows Server Update Services (this topic)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows 10 updates using Windows Server Update Services (this topic)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
@@ -351,5 +351,5 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 479877ca3a..2486006471 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -118,7 +118,7 @@ For more information about Update Compliance, see [Monitor Windows Updates using
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | Deploy updates using Windows Update for Business (this topic) or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | Deploy updates using Windows Update for Business (this topic) or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
- [Update Windows 10 in the enterprise](index.md)
@@ -135,7 +135,7 @@ For more information about Update Compliance, see [Monitor Windows Updates using
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md
index c0d1218ade..abb64e0561 100644
--- a/windows/deployment/update/waas-mobile-updates.md
+++ b/windows/deployment/update/waas-mobile-updates.md
@@ -70,7 +70,7 @@ Only the following Windows Update for Business policies are supported for Window
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index 7eda1ffad1..1e0f4be7b7 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -33,7 +33,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
>[!NOTE]
>Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
- Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
+ Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
@@ -43,9 +43,9 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
| BranchCache |  |  | |  |
> [!NOTE]
-> System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache).
+> Microsoft Endpoint Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Microsoft Endpoint Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/configmgr/core/plan-design/hierarchy/client-peer-cache).
>
-> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic).
+> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Microsoft Endpoint Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic).
## Express update delivery
@@ -55,7 +55,7 @@ Windows 10 quality update downloads can be large because every package contains
> Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business.
### How Microsoft supports Express
-- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update.
+- **Express on Microsoft Endpoint Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update.
- **Express on WSUS Standalone**
Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
@@ -93,7 +93,7 @@ At this point, the download is complete and the update is ready to be installed.
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | Optimize update delivery for Windows 10 updates (this topic) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 1b1a144c38..812e47c937 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -112,7 +112,7 @@ The concept of servicing channels is new, but organizations can use the same man
In the Semi-Annual servicing channel, feature updates are available as soon as Microsoft releases them. Windows 10, version 1511, had few servicing tool options to delay feature updates, limiting the use of the Semi-Annual servicing channel. Starting with Windows 10, version 1607, more servicing tools that can delay feature updates for up to 365 days are available. This servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
-When Microsoft officially releases a feature update for Windows 10, it is made available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
+When Microsoft officially releases a feature update for Windows 10, it is made available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases. All customers, independent software vendors (ISVs), and partners should use this time for testing and piloting within their environments. After 2-4 months, we will transition to broad deployment and encourage customers and partners to expand and accelerate the deployment of the release. For customers using Windows Update for Business, the Semi-Annual Channel provides three months of additional total deployment time before being required to update to the next release.
@@ -163,9 +163,9 @@ There are many tools with which IT pros can service Windows as a service. Each o
- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the Semi-Annual Channel. Organizations can target which devices defer updates by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 device.
- **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes control over update deferment and provides centralized management using Group Policy. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the Semi-Annual Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune.
- **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready.
-- **System Center Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
+- **Microsoft Endpoint Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
-With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses System Center Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1.
+With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses Microsoft Endpoint Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1.
**Table 1**
@@ -190,7 +190,7 @@ With all these options, which an organization chooses depends on the resources,
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index b2f7bf1b6a..7e0bf21538 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -48,7 +48,7 @@ See [Assign devices to servicing channels for Windows 10 updates](waas-servicing
## Staying up to date
-The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
+The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Endpoint Configuration Manager, and third-party products) can be used to help with this process. [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 2f891c98c0..2eae42de3a 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -178,7 +178,7 @@ By enabling the Group Policy setting under **Computer Configuration\Administrati
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | Assign devices to servicing channels for Windows 10 updates (this topic) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md
index 66ffdd5dd6..d55a28a5c1 100644
--- a/windows/deployment/update/waas-servicing-differences.md
+++ b/windows/deployment/update/waas-servicing-differences.md
@@ -87,7 +87,7 @@ Moving to the cumulative model for legacy OS versions continues to improve predi
Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates. Security-only Packages are not part of the C/D preview program.
> [!NOTE]
-> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as System Center Configuration Manager that rely on it, will not see preview updates for older versions of Windows 10.
+> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as Microsoft Endpoint Configuration Manager that rely on it, will not see preview updates for older versions of Windows 10.
> [!NOTE]
> Preview updates for Windows 10 are not named differently than their LCU counterparts and do not contain the word 'Preview'. They can be identified by their release date (C or D week) and their classification as non-security updates.
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index 66702a34a3..e82f2eebde 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -32,7 +32,7 @@ Windows 10 spreads the traditional deployment effort of a Windows upgrade, which
- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
-- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
+- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md).
>[!NOTE]
@@ -56,7 +56,7 @@ Each time Microsoft releases a Windows 10 feature update, the IT department shou
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 8b7d1bcfd2..5119f6f5be 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -138,7 +138,7 @@ We recommend that you set up a ring to receive preview builds by joining the Win
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md
index 71296b4265..30af2075e1 100644
--- a/windows/deployment/update/waas-wufb-intune.md
+++ b/windows/deployment/update/waas-wufb-intune.md
@@ -282,7 +282,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
deleted file mode 100644
index 5898646433..0000000000
--- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
+++ /dev/null
@@ -1,295 +0,0 @@
----
-title: Frequently asked questions and troubleshooting Windows Analytics
-ms.reviewer:
-manager: laurawi
-description: Frequently asked questions about Windows Analytics and steps to take when things go wrong
-keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
-author: jaimeo
-ms.audience: itpro
-author: jaimeo
-ms.localizationpriority: medium
-ms.collection: M365-analytics
-ms.topic: article
----
-
-# Frequently asked questions and troubleshooting Windows Analytics
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
->[!IMPORTANT]
->**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition).
-
-This topic compiles the most common issues encountered with configuring and using Windows Analytics, as well as general questions. This FAQ, along with the [Windows Analytics Technical Community](https://techcommunity.microsoft.com/t5/Windows-Analytics/ct-p/WindowsAnalytics), are recommended resources to consult before contacting Microsoft support.
-
-## Troubleshooting common problems
-
-If you've followed the steps in the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic and are still encountering problems, you might find the solution here.
-
-[Devices not appearing in Upgrade Readiness](#devices-not-appearing-in-upgrade-readiness)
-
-[Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability)
-
-[Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability)
-
-[Apps not appearing in Device Health App Reliability](#apps-not-appearing-in-device-health-app-reliability)
-
-[Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb)
-
-[Upgrade Readiness shows many "Computers with incomplete data"](#upgrade-readiness-shows-many-computers-with-incomplete-data)
-
-[Upgrade Readiness doesn't show app inventory data on some devices](#upgrade-readiness-doesnt-show-app-inventory-data-on-some-devices)
-
-[Upgrade Readiness doesn't show IE site discovery data from some devices](#upgrade-readiness-doesnt-show-ie-site-discovery-data-from-some-devices)
-
-[Device names not appearing for Windows 10 devices](#device-names-not-appearing-for-windows-10-devices)
-
-[Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results](#custom-log-queries-using-the-abnormalshutdowncount-field-of-device-health-show-zero-or-lower-than-expected-results)
-
-[Disable Upgrade Readiness](#disable-upgrade-readiness)
-
-[Exporting large data sets](#exporting-large-data-sets)
-
-
-### Devices not appearing in Upgrade Readiness
-
-In Log Analytics workspace, go to **Solutions** and verify that you are subscribed to the Windows Analytics solutions you intend to use.
-
-Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices within a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/You-can-now-check-on-the-status-of-your-computers-within-hours/ba-p/187213) on the Tech Community Blog.
-
->[!NOTE]
-> If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id, See [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started).
-
-If devices are not showing up as expected, find a representative device and follow these steps to run the latest pilot version of the Upgrade Readiness deployment script on it to troubleshoot issues:
-
-1. Download and extract the [Upgrade Readiness Deployment Script](https://www.microsoft.com/download/details.aspx?id=53327). Ensure that the **Pilot/Diagnostics** folder is included.
-2. Edit the script as described in [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md).
-3. Check that `isVerboseLogging` is set to `$true`.
-4. Run the script again. Log files will be saved to the directory specified in the script.
-5. Check the output of the script in the command window and/or log **UA_dateTime_machineName.txt** to ensure that all steps were completed successfully.
-6. If you are still seeing errors you can't diagnose, then consider open a support case with Microsoft Support through your regular channel and provide this information.
-
-If you want to check a large number of devices, you should run the latest script at scale from your management tool of choice (for example, System Center Configuration Manager) and check the results centrally.
-
-If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog.
-
-If you have deployed images that have not been generalized, then many of them might have the same ID and so Windows Analytics will see them as one device. If you suspect this is the issue, then you can reset the IDs on the non-generalized devices by performing these steps:
-1. Net stop diagtrack
-2. Reg delete hklm\software\microsoft\sqmclient /v MachineId /f
-3. Net start diagtrack
-
-#### Devices not appearing in Device Health Device Reliability
-
-[](images/device-reliability-device-count.png)
-
-If you have devices that appear in other solutions, but not Device Health (the Device Health overview tile shows "Performing Assessment" or the device count is lower than expected), follow these steps to investigate the issue:
-1. Using the Azure portal, remove the Device Health (appears as DeviceHealthProd on some pages) solution from your Log Analytics workspace. After completing this, add the Device Health solution to you workspace again.
-2. Confirm that the devices are running Windows 10.
-3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551).
-4. Confirm that devices are opted in to send diagnostic data by checking in the registry that **AllowTelemetry** is set to either 2 (Enhanced) or 3 (Full).
- - **AllowTelemetry** under **HKLM\Software\Policies\Microsoft\Windows\DataCollection** is the IT policy path.
- - **AllowTelemetry** under **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is the user preference (Settings app) path.
- - IMPORTANT: By convention (and in earlier versions of Windows 10) the IT policy would take precedence over any user preference. Starting with Windows 10, version 1803, the user can lower the device's effective value even when an IT policy is set. This change assists organizations in complying with regional or organizational expectations about user control over privacy settings. For organizations where user control of privacy settings is not required, the previous behavior (IT policy path always wins) can be enabled using the new policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface**.
-5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information.
-6. Wait 48 hours for activity to appear in the reports.
-7. If you need additional troubleshooting, contact Microsoft Support.
-
-
-### Device crashes not appearing in Device Health Device Reliability
-
-[](images/device-reliability-crash-count.png)
-
-If you know that devices are experiencing stop error crashes that do not seem to be reflected in the count of devices with crashes, follow these steps to investigate the issue:
-
-1. Verify that devices are reporting data properly by following the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) section of this topic.
-2. Trigger a known crash on a test device by using a tool such as [NotMyFault](https://docs.microsoft.com/sysinternals/downloads/notmyfault) from Windows Sysinternals.
-3. Verify that Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set):
-
- - Verify that the value "Disabled" (REG_DWORD), if set, is 0.
- - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
- - Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
-
-4. Verify that WER can reach all diagnostic endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md)--if WER can only reach some of the endpoints, it could be included in the device count while not reporting crashes.
-5. Check that crash reports successfully complete the round trip with Event 1001 and that BucketID is not blank. A typical such event looks like this:
-
- [](images/event_1001.png)
-
- You can use the following Windows PowerShell snippet to summarize recent occurrences of Event 1001. Most events should have a value for BucketID (a few intermittent blank values are OK, however).
-
- ```powershell
- $limitToMostRecentNEvents = 20
- Get-WinEvent -FilterHashTable @{ProviderName="Windows Error Reporting"; ID=1001} |
- ?{ $_.Properties[2].Value -match "crash|blue" } |
- % { [pscustomobject]@{
- TimeCreated=$_.TimeCreated
- WEREvent=$_.Properties[2].Value
- BucketId=$_.Properties[0].Value
- ContextHint = $(
- if($_.Properties[2].Value -eq "bluescreen"){"kernel"}
- else{ $_.Properties[5].Value }
- )
- }} | Select-Object -First $limitToMostRecentNEvents
- ```
- The output should look something like this:
- [](images/device-reliability-event1001-PSoutput.png)
-
-6. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events.
-7. Wait 48 hours for activity to appear in the reports.
-8. If you need additional troubleshooting, contact Microsoft Support.
-
-#### Endpoint connectivity
-
-Devices must be able to reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
-
-If you are using proxy server authentication, it's worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER only uploads error reports in the machine context, so whitelisting endpoints to allow non-authenticated access was typically used. In Windows 10, version 1703 and later versions, WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access.
-
-
-For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-server-authentication).
-
-### Apps not appearing in Device Health App Reliability
-
-[](images/app-reliability.png)
-
-If apps that you know are crashing do not appear in App Reliability, follow these steps to investigate the issue:
-
-1. Double-check the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) and [Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) sections of this topic.
-2. Confirm that an in-scope application has crashed on an enrolled device. Keep the following points in mind:
- - Not all user-mode crashes are included in App Reliability, which tracks only apps that have a GUI, have been used interactively by a user, and are not part of the operating system.
- - Enrolling more devices helps to ensure that there are enough naturally occurring app crashes.
- - You can also use test apps which are designed to crash on demand.
-
-3. Verify that *per-user* Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKCU\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set):
-
- - Verify that the value "Disabled" (REG_DWORD), if set, is 0.
- - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
- - Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
-4. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events.
-5. Wait 48 hours for activity to appear in the reports.
-6. If you need additional troubleshooting, contact Microsoft Support.
-
-
-### Upgrade Readiness shows many "Computers with outdated KB"
-If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile:
-
-[](images/outdated_outdated.png)
-
-On Windows 7 SP1 and Windows 8.1 devices, you must deploy the compatibility update as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
-
-Note that the compatibility update retains the same KB number when a new version is released, so even if the update is installed on your devices, *they might not be running the latest version*. The compatibility update is now a critical update, so you can check that the latest version is installed from your management tool.
-
-
-### Upgrade Readiness shows many "Computers with incomplete data"
-If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile:
-
-[](images/outdated_incomplete.png)
-
-Download the latest deployment script and run it on an affected device to check for issues. See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. Remember to wait up to 48-72 hours to see the results.
-See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.
-
-
-If this becomes a recurring issue, schedule a full inventory scan monthly, as per the device enrollment guidelines for deployment at scale.
-
-
-
-### Upgrade Readiness doesn't show app inventory data on some devices
-Upgrade Readiness only collects app inventory on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded).
-
-
-### Upgrade Readiness doesn't show IE site discovery data from some devices
-Double-check that IE site discovery opt-in has been configured in the deployment script. (See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.)
-
-Also, on Windows 10 devices remember that IE site discovery requires data diagnostics set to the Enhanced level.
-
-There are two additional configurations to check:
-1. Make sure Flip Ahead with Page Prediction is enabled. It can be configured at Internet Options -> Advanced -> Browsing -> Enable flip ahead with page prediction.
-2. Make sure IE is not running in InPrivate mode.
-
-Finally, Upgrade Readiness only collects IE site discovery data on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded).
-
->[!NOTE]
-> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries.
-
-### Device names not appearing for Windows 10 devices
-Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates.
-
-### Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results
-This issue affects custom queries of the Device Health data by using the **Logs > Search page** or API. It does not impact any of the built-in tiles or reports of the Device Health solution. The **AbnormalShutdownCount** field of the **DHOSReliability** data table represents abnormal shutdowns other than crashes, such as sudden power loss or holding down the power button.
-
-We have identified an incompatibility between AbnormalShutdownCount and the Limited Enhanced diagnostic data level on Windows 10, versions 1709, 1803, and 1809. Such devices do not send the abnormal shutdown signal to Microsoft. You should not rely on AbnormalShutdownCount in your custom queries unless you use any one of the following workarounds:
-
-
-- Upgrade devices to Windows 10, version 1903 when available. Participants in the Windows Insider program can preview this change using Windows Insider builds.
-- Change the diagnostic data setting from devices running Windows 10, versions 1709, 1803, and 1809 normal Enhanced level instead of Limited Enhanced.
-- Use alternative data from devices to track abnormal shutdowns. For example, you can forward abnormal shutdown events from the Windows Event Log to your Log Analytics workspace by using the Log Analytics agent. Suggested events to forward include:
- - Log: System, ID: 41, Source: Kernel-Power
- - Log System, ID: 6008, Source: EventLog
-
-
-
-### Disable Upgrade Readiness
-
-If you want to stop using Upgrade Readiness and stop sending diagnostic data to Microsoft, follow these steps:
-
-1. Delete the Upgrade Readiness solution in Log Analytics workspace. In Log Analytics workspace. select **Solutions** > **Compatibility Assessment** > **Delete**.
-
-2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**:
-
- **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*
-
- **Windows 10**: Follow the instructions in [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
-
-3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
-4. **Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection".
-
-### Exporting large data sets
-
-Azure Log Analytics is optimized for advanced analytics of large data sets and can efficiently generate summaries and analytics for them. The query language is not optimized (or intended) for returning large raw data sets and has built-in limits to protect against overuse. There are times when it might be necessary to get more data than this, but that should be done sparingly since this is not the intended way to use Azure Log Analytics. The following code snippet shows how to retrieve data from UAApp one “page” at a time:
-
-```
-let snapshot = toscalar(UAApp | summarize max(TimeGenerated));
-let pageSize = 100000;
-let pageNumber = 0;
-
-UAApp
-| where TimeGenerated == snapshot and IsRollup==true and RollupLevel=="Granular" and Importance == "Low install count"
-| order by AppName, AppVendor, AppVersion desc
-| serialize
-| where row_number(0) >= (pageSize * pageNumber)
-| take pageSize
-```
-
-
-
-## Other common questions
-
-### What are the requirements and costs for Windows Analytics solutions?
-
-| Windows Analytics solution| Windows license requirements | Windows version requirements | Minimum diagnostic data requirements |
-|----------------------|-----------------------------------|------------------------------|------------------------------|
-| Upgrade Readiness | No additional requirements | Windows 7 with Service Pack 1, Windows 8.1, Windows 10 | Basic level in most cases; Enhanced level to support Windows 10 app usage data and IE site discovery |
-| Update Compliance | No additional requirements | Windows 10 | Basic level |
-| Device Health | **Any** of the following licenses: - Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance - Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5) - Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5) - Windows VDA E3 or E5 per-device or per-user subscription - Windows Server 2016 or later | Windows 10 | - For Windows 10 version 1709 or later: Enhanced (Limited) - For earlier versions: Enhanced
-
->[!NOTE]
-> Regarding licensing requirements for Device Health, you do not need per-seat licensing, but only enough licenses to cover your total device usage. For example, if you have 100 E3 licenses, you can monitor 100 devices with Device Health.
-
-Beyond the cost of Windows operating system licenses, there is no additional cost for using Windows Analytics. Within Azure Log Analytics, Windows Analytics is "zero-rated;" this means it is excluded from data limits and costs regardless of the Azure Log Analytics pricing tier you have chosen. To be more specific, Azure Log Analytics is available in different pricing tiers as described in [Pricing - Log Analytics](https://azure.microsoft.com/pricing/details/log-analytics/).
-- If you are using the free tier, which has a cap on the amount of data collected per day, the Windows Analytics data will not count towards this cap. You will be able to collect all the Windows Analytics data from your devices and still have the full cap available for collecting additional data from other sources.
-- If you are using a paid tier that charges per GB of data collected, the Windows Analytics data will not be charged. You will be able to collect all the Windows Analytics data from your devices and not incur any costs.
-
-Note that different Azure Log Analytics plans have different data retention periods, and the Windows Analytics solutions inherit the workspace's data retention policy. So, for example, if your workspace is on the free plan then Windows Analytics will retain the last week's worth of "daily snapshots" that are collected in the workspace.
-
-
-### Why do SCCM and Upgrade Readiness show different counts of devices that are ready to upgrade?
-System Center Configuration Manager (SCCM) considers a device ready to upgrade if *no installed app* has an upgrade decision of “not ready” (that is, they are all "ready" or "in progress"), while Upgrade Readiness considers a device ready to upgrade only if *all* installed apps are marked “ready”.
-
-Currently, you can choose the criteria you wish to use:
-- To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector).
-- To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet.
-
-### How does Upgrade Readiness collect the inventory of devices and applications?
-For details about this process and some tips, see [How does Upgrade Readiness in WA collects application inventory for your OMS workspace?](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-does-Upgrade-Readiness-in-WA-collects-application-inventory/ba-p/213586) on the Windows Analytics blog.
diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md
deleted file mode 100644
index 5b1310a627..0000000000
--- a/windows/deployment/update/windows-analytics-azure-portal.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: Windows Analytics in the Azure Portal
-ms.reviewer:
-manager: laurawi
-description: Use the Azure Portal to add and configure Windows Analytics solutions
-keywords: Device Health, oms, Azure, portal, operations management suite, add, manage, configure, Upgrade Readiness, Update Compliance
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
-author: jaimeo
-ms.audience: itpro
-author: jaimeo
-ms.localizationpriority: medium
-ms.collection: M365-analytics
-ms.topic: article
----
-
-# Windows Analytics in the Azure Portal
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-Windows Analytics uses Azure Log Analytics workspaces (formerly known as Operations Management Suite or OMS), a collection of cloud-based services for monitoring and automating your on-premises and cloud environments.
-
-**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences, which this topic will explain. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition).
-
-## Navigation and permissions in the Azure portal
-
-Go to the [Azure portal](https://portal.azure.com), select **All services**, and search for *Log Analytics workspaces*. Once it appears, you can select the star to add it to your favorites for easy access in the future.
-
-[](images/azure-portal-LAfav1.png)
-
-### Permissions
-
-It's important to understand the difference between Azure Active Directory and an Azure subscription:
-
-**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (Azure AD) is a separate service which sits by itself and is used by all of Azure and also Office 365.
-
-An **Azure subscription** is a container for billing, but also acts as a security boundary. Every Azure subscription has a trust relationship with at least one Azure AD instance. This means that a subscription trusts that directory to authenticate users, services, and devices.
-
-
->[!IMPORTANT]
->Unlike the OMS portal (which only requires permission to access the Azure Log Analytics workspace), the Azure portal also requires access to be configured to either the linked *Azure subscription* or Azure resource group.
-
-To check the Log Analytics workspaces you can access, select **Log Analytics workspaces**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to:
-
-[](images/azure-portal-LAmain-wkspc-subname-sterile.png)
-
-If you do not see your workspace in this view, but you are able to access the workspace from the classic portal, that means you do not have access to the workspace's Azure subscription or resource group. To remedy this, you will need to find someone with admin rights to grant you access, which they can do by selecting the subscription name and selecting **Access control (IAM)** (alternatively they can configure your access at the resource group level). They should either grant you "Log Analytics Reader" access (for read-only access) or "Log Analytics Contributor" access (which enables making changes such as creating deployment plans and changing application readiness states).
-
-When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page.
-
-[](images/azure-portal-LA-wkspcsumm_sterile.png)
-
-## Adding Windows Analytics solutions
-
-In the Azure portal, the simplest way to add Windows Analytics solutions (Upgrade Readiness, Update Compliance, and Device Health) is to select **+ Create a resource** and then type the solution name in the search box. In this example, the search is for "Device Health":
-
-[](images/azure-portal-create-resource-boxes.png)
-
-Select the solution from the list that is returned by the search, and then select **Create** to add the solution.
-
-## Navigating to Windows Analytics solutions settings
-
-To adjust settings for a Windows Analytics solution, first navigate to the **Solutions** tab for your workspace, and then select the solution to configure. In this example, Upgrade Readiness is being adjusted by selecting **CompatibilityAssessment**:
-
-[](images/temp-azure-portal-soltn-setting.png)
-
-From there, select the settings page to adjust specific settings:
-
-[](images/azure-portal-UR-settings.png)
-
->[!NOTE]
->To access these settings, both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure.
diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md
deleted file mode 100644
index 18a4d35cd9..0000000000
--- a/windows/deployment/update/windows-analytics-get-started.md
+++ /dev/null
@@ -1,216 +0,0 @@
----
-title: Enrolling devices in Windows Analytics (Windows 10)
-ms.reviewer:
-manager: laurawi
-description: Enroll devices to enable use of Update Compliance, Upgrade Readiness, and Device Health in Windows Analytics.
-keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, azure portal
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-author: jaimeo
-ms.author: jaimeo
-ms.localizationpriority: medium
-ms.collection: M365-analytics
-ms.topic: article
----
-
-# Enrolling devices in Windows Analytics
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-If you have not already done so, consult the topics for any of the three Windows Analytics solutions (Update Compliance, Upgrade Readiness, and Device Health) you intend to use and follow the steps there to add the solutions to Azure Portal.
-
-- [Get started with Device Health](device-health-get-started.md)
-- [Get started with Update Compliance](update-compliance-get-started.md)
-- [Get started with Upgrade Readiness](../upgrade/upgrade-readiness-get-started.md)
-
-If you've already done that, you're ready to enroll your devices in Windows Analytics by following these steps:
-
-
-
-## Copy your Commercial ID key
-
-Microsoft uses a unique commercial ID to map information from user computers to your Azure workspace. This should be generated for you automatically. Copy your commercial ID key from any of the Windows Analytics solutions you have added to your Windows Portal, and then deploy it to user computers.
-
-To find your commercial ID, first navigate to the **Solutions** tab for your workspace, and then select the solution. In this example, Upgrade Readiness is being adjusted by selecting **CompatibilityAssessment**:
-
-[](images/temp-azure-portal-soltn-setting.png)
-
-From there, select the settings page, where you can find and copy your commercial ID:
-
-[](images/azure-portal-UR-settings.png)
-
-
-
-
->**Important** Regenerate a Commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, you’ll need to deploy the new commercial ID key to user computers again.
-
-
-## Enable data sharing
-
-To enable data sharing, configure your proxy server to whitelist the following endpoints. You might need to get approval from your security group to do this.
-
-| **Endpoint** | **Function** |
-|---------------------------------------------------------|-----------|
-|`https://ceuswatcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports. |
-| `https://ceuswatcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports. |
-| `https://eaus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports. |
-| `https://eaus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports. |
-| `https://weus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports. |
-| `https://weus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness or Update Compliance AV reports. |
-| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with devices running Windows 10, version 1803 or later **that also have the 2018-09 Cumulative Update (KB4458469, KB4457136, KB4457141) or later installed** |
-| `https://v10.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with Windows 10, version 1803 *without* the 2018-09 Cumulative Update installed |
-| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier |
-| `https://vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for operating systems older than Windows 10 |
-| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. |
-| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
-| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health reports. Not used by Upgrade Readiness or Update Compliance AV reports. |
-| `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health reports. Not used by Upgrade Readiness or Update Compliance AV reports. |
-| `https://login.live.com` | This endpoint is required by Device Health to ensure data integrity and provides a more reliable device identity for all of the Windows Analytics solutions on Windows 10. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. |
-
-
-
->[!NOTE]
->Proxy authentication and SSL inspections are frequent challenges for enterprises. See the following sections for configuration options.
-
-> [!IMPORTANT]
-> For privacy and data integrity, Windows checks for a Microsoft SSL certificate when communicating with the diagnostic data endpoints. SSL interception and inspection aren't possible. To use Desktop Analytics, exclude these endpoints from SSL inspection.
-
->[!NOTE]
->Microsoft has a strong commitment to providing the tools and resources that put you in control of your privacy. As a result, Microsoft doesn't collect the following data from devices located in European countries (EEA and Switzerland):
->- Windows diagnostic data from Windows 8.1 devices
->- App usage data and [Internet Explorer site discovery](../upgrade/upgrade-readiness-additional-insights.md#site-discovery) features for Windows 7 devices
-
-
-
-### Configuring endpoint access with SSL inspection
-To ensure privacy and data integrity Windows checks for a Microsoft SSL certificate when communicating with the diagnostic data endpoints. Accordingly SSL interception and inspection is not possible. To use Windows Analytics services you should exclude the above endpoints from SSL inspection.
-
-### Configuring endpoint access with proxy server authentication
-If your organization uses proxy server authentication for outbound traffic, use one or more of the following approaches to ensure that the diagnostic data is not blocked by proxy authentication:
-
-- **Best option: Bypass** Configure your proxy servers to **not** require proxy authentication for traffic to the diagnostic data endpoints. This is the most comprehensive solution and it works for all versions of Windows 10.
-- **User proxy authentication:** Alternatively, you can configure devices to use the logged on user's context for proxy authentication. First, update the devices to Windows 10, version 1703 or later. Then, ensure that users of the devices have proxy permission to reach the diagnostic data endpoints. This requires that the devices have console users with proxy permissions, so you couldn't use this method with headless devices.
-- **Device proxy authentication:** Another option--the most complex--is as follows: First, configure a system level proxy server on the devices. Then, configure these devices to use machine-account-based outbound proxy authentication. Finally, configure proxy servers to allow the machine accounts access to the diagnostic data endpoints.
-
-## Deploy the compatibility update and related updates
-
-The compatibility update scans your devices and enables application usage tracking. If you don’t already have these updates installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
-
-| **Operating System** | **Updates** |
-|----------------------|-----------------------------------------------------------------------------|
-| Windows 10 | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up to date with cumulative updates. |
-| Windows 8.1 | The compatibility update is included in monthly quality updates for Windows 8.1. We recommend installing the latest [Windows Monthly Rollup](https://www.catalog.update.microsoft.com/Search.aspx?q=security%20monthly%20quality%20rollup%20for%20windows%208) before attempting to enroll devices into Windows Analytics. |
-| Windows 7 SP1 | The compatibility update is included in monthly quality updates for Windows 7. We recommend installing the latest [Windows Monthly Rollup](https://www.catalog.update.microsoft.com/Search.aspx?q=security%20monthly%20quality%20rollup%20for%20windows%207) before attempting to enroll devices into Windows Analytics. |
-
-### Connected User Experiences and Telemetry service
-
-With Windows diagnostic data enabled, the Connected User Experience and Telemetry service (DiagTrack) collects system, application, and driver data. Microsoft analyzes this data, and shares it back to you through Windows Analytics. For the best experience, install these updates depending upon the operating system version.
-
-- For Windows 10, install the latest Windows 10 cumulative update.
-- For Windows 8.1, install the October 2018 monthly rollup, [KB4462926](https://support.microsoft.com/help/4462926)
-- For Windows 7, install the October 2018 monthly rollup, [KB4462923](https://support.microsoft.com/help/4462923)
-
-
-
->[!IMPORTANT]
->Restart devices after you install the compatibility updates for the first time.
-
->[!NOTE]
->We recommend you configure your update management tool to automatically install the latest version of these updates. There is a related optional update, [KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513), which can provide updated configuration and definitions for older compatibiltiy updates. For more information about this optional update, see .
-
-
-
-If you are planning to enable IE Site Discovery in Upgrade Readiness, you will need to install a few additional updates.
-
-| **Site discovery** | **Update** |
-|----------------------|-----------------------------------------------------------------------------|
-| [Review site discovery](../upgrade/upgrade-readiness-additional-insights.md#site-discovery) | [KB3080149](https://www.catalog.update.microsoft.com/Search.aspx?q=3080149) Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices. For more information about this update, see
Install the latest [Windows Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
-
->[!NOTE]
-> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries.
-
-## Set diagnostic data levels
-
-You can set the diagnostic data level used by monitored devices either with the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) or by policy (by using Group Policy or Mobile Device Management).
-
-The basic functionality of Upgrade Readiness will work at the Basic diagnostic data level, you won't get usage or health data for your updated devices without enabling the Enhanced level. This means you won't get information about health regressions on updated devices. So it is best to enable the Enhanced diagnostic data level, at least on devices running Windows 10, version 1709 (or later) where the Enhanced diagnostic data setting can be paired with "limited enhanced" data level (see [Windows 10 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields)). For more information, see [Windows Analytics and privacy](https://docs.microsoft.com/windows/deployment/update/windows-analytics-privacy).
-
-## Enroll a few pilot devices
-
-You can use the Upgrade Readiness deployment script to automate and verify your deployment. We always recommend manually running this script on a few representative devices to verify things are properly configured and the device can connect to the diagnostic data endpoints. Make sure to run the pilot version of the script, which will provide extra diagnostics.
-
-See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.
-
-After data is sent from devices to Microsoft, it generally takes 48-56 hours for the data to populate in Windows Analytics. The compatibility update takes several minutes to run. If the update does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Windows Analytics. For this reason, you can expect most of your devices to be populated in Windows Analytics within 1-2 days after deploying the update and configuration to user computers. As described in the Windows Analytics blog post ["You can now check on the status of your computers within hours of running the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/05/12/wheres-my-data/), you can verify that devices have successfully connected to the service within a few hours. Most of those devices should start to show up in the Windows Analytics console within a few days.
-
-## Deploy additional optional settings
-
-Certain Windows Analytics features have additional settings you can use.
-
-- **Update Compliance** is only compatible with Windows 10 desktop devices (workstations and laptops). To use the Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a partner antivirus application), and must have enabled cloud-delivered protection, as described in [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting) topic for help with ensuring that the configuration is correct.
-
-- For devices running Windows 10, version 1607 or earlier, Windows diagnostic data must also be set to Enhanced (see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level)) in order to be compatible with Windows Defender Antivirus. See the [Windows Defender Antivirus in Windows 10 and Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for more information about enabling, configuring, and validating Windows Defender AV.
-
-- **Device Health** is only compatible with Windows 10 desktop devices (workstations and laptops). The solution requires that at least the Enhanced level of diagnostic data is enabled on all devices that are intended to be displayed in the solution. In Windows 10, version 1709, a new policy was added to "limit enhanced telemetry to the minimum required by Windows Analytics". To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
-
-- **IE site discovery** is an optional feature of Upgrade Readiness that provides an inventory of websites that are accessed by client devices using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. To enable IE site discovery, make sure the required updates are installed (per previous section) and enable IE site discovery in the deployment script batch file.
-
-## Deploying Windows Analytics at scale
-
-When you have completed a pilot deployment, you are ready to automate data collection and distribute the deployment script to the remaining devices in your organization.
-
-### Automate data collection
-
-To ensure that user computers are receiving the most up-to-date data from Microsoft, we recommend that you establish the following data sharing and analysis processes:
-
-- Enable automatic updates for the compatibility update and related updates. These updates include the latest application and driver issue information as we discover it during testing.
-- Schedule the Upgrade Readiness deployment script to automatically run monthly. Scheduling the script ensures that full inventory is sent monthly even if devices were not connected or had low battery power at the time the system normally sends inventory. Make sure to run the production version of the script, which is lighter weight and non-interactive. The script also has a number of built-in error checks, so you can monitor the results. If you can't run the deployment script at scale, another option is to configure things centrally via Group Policy or Mobile Device Management (MDM). Although we recommend using the deployment script, both options are discussed in the sections below.
-
-When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the changes is created when the update package is installed. For Windows 10 devices, this task is already included in the operating system. A full scan averages about 2 MB, but the scans for changes are very small. The scheduled task is named "Windows Compatibility Appraiser" and can be found in the Task Scheduler Library under Microsoft > Windows > Application Experience. Changes are invoked via the nightly scheduled task. It attempts to run around 3:00AM every day. If the system is powered off at that time, the task will run when the system is turned on.
-
-### Distribute the deployment script at scale
-
-Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see [Upgrade Readiness deployment script](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-deployment-script). For information on how to deploy PowerShell scripts by using Windows Intune, see [Manage PowerShell scripts in Intune for Windows 10 devices](https://docs.microsoft.com/intune/intune-management-extension).
-
-### Distributing policies at scale
-
-There are a number of policies that can be centrally managed to control Windows Analytics device configuration. All of these policies have *preference* registry key equivalents that can be set by using the deployment script. Policy settings override preference settings if both are set.
->[!NOTE]
->You can only set the diagnostic data level to Enhanced by using policy. For example, this is necessary to use Device Health.
-
-These policies are defined by values under **Microsoft\Windows\DataCollection**. All are REG_DWORD policies (except CommercialId which is REG_SZ).
-
->[!IMPORTANT]
->Configuring these keys independently without using the enrollment script is not recommended. There is additional validation that occurs when you use the enrollment script.
-
-| Policy | Value |
-|-----------------------|------------------|
-| CommercialId | In order for your devices to show up in Windows Analytics, they must be configured with your organization’s Commercial ID. |
-| AllowTelemetry | **In Windows 10**: 1 (Basic), 2 (Enhanced) or 3 (Full) diagnostic data. Windows Analytics will work with basic diagnostic data, but more features are available when you use the Enhanced level (for example, Device Health requires Enhanced diagnostic data and Upgrade Readiness only collects app usage and site discovery data on Windows 10 devices with Enhanced diagnostic data). For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
-| LimitEnhancedDiagnosticDataWindowsAnalytics | **In Windows 10**: Only applies when AllowTelemetry=2. Limits the Enhanced diagnostic data events sent to Microsoft to just those needed by Windows Analytics. For more information, see [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields).|
-| AllowDeviceNameInTelemetry | **In Windows 10, version 1803**: A separate opt-in is required to enable devices to continue to send the device name. Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates. |
-| CommercialDataOptIn | **In Windows 7 and Windows 8**: 1 is required for Upgrade Readiness, which is the only solution that runs on Windows 7 or Windows 8. |
-
-You can set these values by using Group Policy (in Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds) or by using Mobile Device Management (in Provider/*Provider ID*/CommercialID). (If you are using Microsoft Intune, use `MS DM Server` as the provider ID.) For more information about deployment using MDM, see the [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp) topic in MDM documentation.
-
-The corresponding preference registry values are available in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** and can be configured by the deployment script. If a given setting is configured by both preference registry settings and policy, the policy values will override. However, the **IEDataOptIn** setting is different--you can only set this with the preference registry keys:
-
-- IEOptInLevel = 0 Internet Explorer data collection is disabled
-- IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones
-- IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones
-- IEOptInLevel = 3 Data collection is enabled for all sites
-
-For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://docs.microsoft.com/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85)).
-
-### Distribution at scale without using the deployment script
-
-We recommend using the deployment script to configure devices. However if this is not an option, you can still manage settings by policy as described in the previous section. However, if you don't run the deployment script, you won't benefit from its error checking, and you might have to wait a long time (possibly weeks) before devices send the initial full inventory scan.
-
-Note that it is possible to initiate a full inventory scan on a device by calling these commands:
-- CompatTelRunner.exe -m:generaltel.dll -f:DoCensusRun
-- CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun ent
-
-For details on how to run these and how to check results, see the deployment script.
-
diff --git a/windows/deployment/update/windows-analytics-overview.md b/windows/deployment/update/windows-analytics-overview.md
deleted file mode 100644
index 5d63af3e36..0000000000
--- a/windows/deployment/update/windows-analytics-overview.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Windows Analytics
-ms.reviewer:
-manager: laurawi
-description: Introduction and overview of Windows Analytics
-keywords: Device Health, Upgrade Readiness, Update Compliance, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
-author: jaimeo
-ms.audience: itpro
-author: jaimeo
-ms.localizationpriority: medium
-ms.collection: M365-analytics
-ms.topic: article
----
-
-# Windows Analytics overview
-
-Windows Analytics is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. There are currently three solutions which you can use singly or in any combination:
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-
-## Device Health
-
-[Device Health](device-health-get-started.md) provides the following:
-
-- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced
-- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes
-- Notification of Windows Information Protection misconfigurations that send prompts to end users
-
-
-
-## Upgrade Readiness
-
-[Upgrade Readiness](../upgrade/upgrade-readiness-get-started.md) offers a set of tools to plan and manage the upgrade process end to end, allowing you to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Upgrade Readiness not only supports upgrade management from Windows 7 and Windows 8.1 to Windows 10, but also Windows 10 upgrades in the Windows as a service model.
-
-Use Upgrade Readiness to get:
-
-- A visual workflow that guides you from pilot to production
-- Detailed computer and application inventory
-- Powerful computer-level search and drill-downs
-- Guidance and insights into application and driver compatibility issues, with suggested fixes
-- Data-driven application rationalization tools
-- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
-- Data export to commonly used software deployment tools, including System Center Configuration Manager
-
-To get started with any of these solutions, visit the links for instructions to add it to Azure Portal.
-
->[!NOTE]
-> For details about licensing requirements and costs associated with using Windows Analytics solutions, see [What are the requirements and costs for Windows Analytics solutions?](windows-analytics-FAQ-troubleshooting.md#what-are-the-requirements-and-costs-for-windows-analytics-solutions).
diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md
deleted file mode 100644
index fcfe1d41f9..0000000000
--- a/windows/deployment/update/windows-analytics-privacy.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Windows Analytics and privacy
-ms.reviewer:
-manager: laurawi
-description: How Windows Analytics uses data
-keywords: windows analytics, oms, privacy, data, diagnostic, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
-author: jaimeo
-ms.audience: itpro
-author: jaimeo
-ms.localizationpriority: high
-ms.collection: M365-analytics
-ms.topic: article
----
-
-# Windows Analytics and privacy
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-Windows Analytics is fully committed to privacy, centering on these tenets:
-
-- **Transparency:** We fully document the Windows Analytics diagnostic events (see the links for additional information) so you can review them with your company’s security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details).
-- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics
-- **Security:** Your data is protected with strong security and encryption
-- **Trust:** Windows Analytics supports the Microsoft Online Service Terms
-
-The following illustration shows how diagnostic data flows from individual devices through the Diagnostic Data Service, Azure Log Analytics storage, and to your Log Analytics workspace:
-
-[](images/WA-data-flow-v1.png)
-
-The data flow sequence is as follows:
-
-1. Diagnostic data is sent from devices to the Microsoft Diagnostic Data Management service, which is hosted in the US.
-2. An IT administrator creates an Azure Log Analytics workspace. The administrator chooses the location, copies the Commercial ID (which identifies that workspace), and then pushes Commercial ID to devices they want to monitor. This is the mechanism that specifies which devices appear in which workspaces.
-3. Each day Microsoft produces a "snapshot" of IT-focused insights for each workspace in the Diagnostic Data Management service.
-4. These snapshots are copied to transient storage which is used only by Windows Analytics (also hosted in US data centers) where they are segregated by Commercial ID.
-5. The snapshots are then copied to the appropriate Azure Log Analytics workspace.
-6. If the IT administrator is using the Upgrade Readiness solution, user input from the IT administrator (specifically, the target operating system release and the importance and upgrade readiness per app) is stored in the Windows Analytics Azure Storage. (Upgrade Readiness is the only Windows Analytics solution that takes such user input.)
-
-
-See these topics for additional background information about related privacy issues:
-
-- [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance)
-- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
-- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965)
-- [Windows 10, version 1903 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903)
-- [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809)
-- [Windows 10, version 1803 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803)
-- [Windows 10, version 1709 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709)
-- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703)
-- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields)
-- [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview)
-- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31)
-- [Learn about security and privacy at Microsoft datacenters](https://www.microsoft.com/datacenters)
-- [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/)
-- [Trust Center](https://www.microsoft.com/trustcenter)
-
-### Can Windows Analytics be used without a direct client connection to the Microsoft Data Management Service?
-No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity.
-
-### Can I choose the data center location?
-Yes for Azure Log Analytics, but no for the Microsoft Data Management Service (which is hosted in the US).
diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md
index 828c0bf6b7..ac584017e2 100644
--- a/windows/deployment/update/wufb-autoupdate.md
+++ b/windows/deployment/update/wufb-autoupdate.md
@@ -25,9 +25,9 @@ Automatic Update governs the "behind the scenes" download and installation proce
|Policy|Description |
|-|-|
-|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.|
+|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/configmgr/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.|
|Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.|
-|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or System Center Configuration Manager users who want to install custom packages that are not offered through Windows Update.|
+|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or Microsoft Endpoint Configuration Manager users who want to install custom packages that are not offered through Windows Update.|
|Do not connect to any Windows Update Internet locations Required for Dual Scan|Prevents access to Windows Update.|
## Suggested configuration
diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md
index 0fe22b0935..e451d7751a 100644
--- a/windows/deployment/update/wufb-managedrivers.md
+++ b/windows/deployment/update/wufb-managedrivers.md
@@ -41,7 +41,7 @@ You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and u
|Policy| Description |
|-|-|
-|Specify Intranet Microsoft Update Service Location| Used for WSUS/System Center Configuration Manager customers who want to install custom packages that are not offered through Windows Update.|
+|Specify Intranet Microsoft Update Service Location| Used for WSUS/Microsoft Endpoint Configuration Manager customers who want to install custom packages that are not offered through Windows Update.|
### Suggested configuration
diff --git a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
deleted file mode 100644
index 078074ba23..0000000000
--- a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Manage Windows upgrades with Upgrade Readiness (Windows 10)
-description: Provides an overview of the process of managing Windows upgrades with Upgrade Readiness.
-ms.prod: w10
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.topic: article
----
-
-# Manage Windows upgrades with Upgrade Readiness
-
-Upgrading to new operating systems has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
-
-With the release of Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Windows Upgrade Readiness not only supports upgrade management from Windows 7, Windows 8.1 to Windows 10, but also Windows 10 upgrades in the [Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) model.
-
-Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
-
-With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
-
-Use Upgrade Readiness to get:
-
-- A visual workflow that guides you from pilot to production
-- Detailed computer and application inventory
-- Powerful computer level search and drill-downs
-- Guidance and insights into application and driver compatibility issues, with suggested fixes
-- Data driven application rationalization tools
-- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
-- Data export to commonly used software deployment tools, including System Center Configuration Manager
-
-The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
-
-**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see:
-
-- [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
-- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-- [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
-
-## **Related topics**
-
-[Upgrade Readiness architecture](upgrade-readiness-architecture.md)
-[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
-[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
-[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
-[Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md)
diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md
index ed046d6920..41c49f7eb9 100644
--- a/windows/deployment/upgrade/resolution-procedures.md
+++ b/windows/deployment/upgrade/resolution-procedures.md
@@ -194,7 +194,7 @@ Disconnect all peripheral devices that are connected to the system, except for t
Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
Review the rollback log and determine the stop code.
- The rollback log is located in the C:$Windows.~BT\Sources\Panther folder. An example analysis is shown below. This example is not representative of all cases:
+ The rollback log is located in the $Windows.~BT\Sources\Rollback folder. An example analysis is shown below. This example is not representative of all cases:
Info SP Crash 0x0000007E detected
Info SP Module name :
@@ -601,7 +601,7 @@ Download and run the media creation tool. See
0x80240FFF
-
Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.
+
Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with Microsoft Endpoint Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.
You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:
Disable the Upgrades classification.
@@ -625,7 +625,7 @@ For detailed information on how to run these steps check out hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager.
+
Occurs when update synchronization fails because you do not have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with Microsoft Endpoint Configuration Manager.
Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix.
Stop the Windows Update service. Sign in as a user with administrative privileges, and then do the following:
diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
deleted file mode 100644
index 43bc14033a..0000000000
--- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-title: Upgrade Readiness - Additional insights
-ms.reviewer:
-manager: laurawi
-ms.author: jaimeo
-description: Explains additional features of Upgrade Readiness.
-ms.prod: w10
-audience: itpro
-author: jaimeo
-ms.topic: article
-ms.collection: M365-analytics
----
-
-# Upgrade Readiness - Additional insights
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include:
-
-- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7, Windows 8.1, or Windows 10 using Internet Explorer.
-- [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers.
-
-## Site discovery
-
-The IE site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
-
-> [!NOTE]
-> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
->
-> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries.
-
-In order to use site discovery, a separate opt-in is required; see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started).
-
-### Review most active sites
-
-This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page.
-
-For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL.
-
-
-
-Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name.
-
-
-
-### Review document modes in use
-
-This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes).
-
-
-
-### Run browser-related queries
-
-You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries.
-
-
-
-## Office add-ins
-
-Office add-ins provides a list of the Microsoft Office add-ins in your environment, and enumerates the computers that have these add-ins installed. This information should not affect the upgrade decision workflow, but can be helpful to an administrator.
-
-## Related topics
-
-[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)
diff --git a/windows/deployment/upgrade/upgrade-readiness-architecture.md b/windows/deployment/upgrade/upgrade-readiness-architecture.md
deleted file mode 100644
index 73b74906d7..0000000000
--- a/windows/deployment/upgrade/upgrade-readiness-architecture.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: Upgrade Readiness architecture (Windows 10)
-ms.reviewer:
-manager: laurawi
-ms.author: jaimeo
-description: Describes Upgrade Readiness architecture.
-ms.prod: w10
-audience: itpro
-author: jaimeo
-ms.topic: article
-ms.collection: M365-analytics
----
-
-# Upgrade Readiness architecture
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-Microsoft analyzes system, application, and driver diagnostic data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Readiness components work together in a typical installation.
-
-
-
-
-
-After you enable Windows diagnostic data on user computers and install the compatibility update KB (1), user computers send computer, application and driver diagnostic data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, diagnostic data is analyzed by the Upgrade Readiness Service (3) and pushed to your workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades.
-
-For more information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see:
-
-[Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
-[Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-[Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
-
-## **Related topics**
-
-[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
-[Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
-[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
deleted file mode 100644
index 58e8a9e6c2..0000000000
--- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Upgrade Readiness data sharing
-ms.reviewer:
-manager: laurawi
-ms.author: jaimeo
-description: Connectivity scenarios for data sharing with Upgrade Readiness
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: jaimeo
-ms.topic: article
-ms.collection: M365-analytics
----
-
-# Upgrade Readiness data sharing
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-To enable data sharing with the Upgrade Readiness solution, double-check the endpoints list in [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md#enable-data-sharing) to be sure they are whitelisted.
-
-## Connectivity to the Internet
-
-There are several different methods your organization can use to connect to the Internet, and these methods can affect how authentication is performed by the deployment script.
-
-### Direct connection to the Internet
-
-This scenario is very simple since there is no proxy involved. If you are using a network firewall which is blocking outgoing traffic, please keep in mind that even though we provide DNS names for the endpoints needed to communicate to the Microsoft diagnostic data backend, We therefore do not recommend to attempt to whitelist endpoints on your firewall based on IP-addresses.
-
-In order to use the direct connection scenario, set the parameter **ClientProxy=Direct** in **runconfig.bat**.
-
-### Connection through the WinHTTP proxy
-
-This is the first and most simple proxy scenario.
-
-In order to set the WinHTTP proxy system-wide on your computers, you need to
-- Use the command netsh winhttp set proxy \:\
-- Set ClientProxy=System in runconfig.bat
-
-The WinHTTP scenario is most appropriate for customers who use a single proxy. If you have more advanced proxy requirements, refer to Scenario 3.
-
-If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/).
-
-### Logged-in user’s Internet connection
-
-In order to accommodate complex proxy scenarios, we also support using the currently logged-in user’s internet connection. This scenario supports PAC scripts, proxy autodetection and authentication. Essentially, if the logged in user can reach the Windows diagnostic data endpoints, the diagnostic data client can send data. If runconfig.bat runs while no user is logged in, diagnostic data events get written into a buffer which gets flushed when a user logs in.
-
-In order to enable this scenario, you need:
-- A current quality update Rollup for Windows 7, 8.1 or Windows 10 Version 1511. Updates shipped after October 2016 have the needed code
-- Set the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy to 0. If the value does not exist, create a new DWORD, name it DisableEnterpriseAuthProxy and set the value to 0. The deployment script will check this is configured correctly.
-- Set ClientProxy=User in bat.
-
-> [!IMPORTANT]
-> Using **Logged-in user's internet connection** with **DisableEnterpriseAuthProxy = 0** scenario is incompatible with ATP where the required value of that attribute is 1.(Read more here)[]
-
-
-
-
-
diff --git a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md
deleted file mode 100644
index 7ae486f5d3..0000000000
--- a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Upgrade Readiness - Get a list of computers that are upgrade ready (Windows 10)
-ms.reviewer:
-manager: laurawi
-ms.author: jaimeo
-description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness.
-ms.prod: w10
-audience: itpro
-author: jaimeo
-ms.topic: article
-ms.collection: M365-analytics
----
-
-# Upgrade Readiness - Step 3: Deploy Windows
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready.
-The blades in the **Deploy** section are:
-
-- [Deploy eligible computers](#deploy-eligible-computers)
-- [Deploy computers by group](#computer-groups)
-
->Computers that are listed in this step are assigned an **UpgradeDecision** value, and the total count of computers in each upgrade decision category is displayed. Additionally, computers are assigned an **UpgradeAssessment** value. This value is displayed by drilling down into a specific upgrade decision category. For information about upgrade assessment values, see [Upgrade assessment](#upgrade-assessment).
-
-## Deploy eligible computers
-
-In this blade, computers grouped by upgrade decision are listed. The upgrade decision on the machines is a calculated value based on the upgrade decision status for the apps and drivers installed on the computer. This value cannot be modified directly. The upgrade decision is calculated in the following ways:
-- **Review in progress**: At least one app or driver installed on the computer is marked **Review in progress**.
-- **Ready to upgrade**: All apps and drivers installed on the computer are marked as **Ready to Upgrade**.
-- **Won’t upgrade**: At least one app or driver installed on the computer is marked as **Won’t upgrade**, or a system requirement is not met.
-
-
-
-
-
-Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers.
-
->**Important** When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
-
-## Computer groups
-
-Computer groups allow you to segment your environment by creating device groups based on log search results, or by importing groups from Active Directory, WSUS or System Center Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/).
-
-Query based computer groups are recommended in the initial release of this feature. A feature known as **Configuration Manager Upgrade Readiness Connector** is anticipated in a future release that will enable synchronization of **ConfigMgr Collections** with computer groups in OMS.
-
-### Getting started with Computer Groups
-
-When you sign in to OMS, you will see a new blade entitled **Computer Groups**. See the following example:
-
-
-
-To create a computer group, open **Log Search** and create a query based on **Type=UAComputer**, for example:
-
-```
-Type=UAComputer Manufacturer=DELL
-```
-
-
-
-When you are satisfied that the query is returning the intended results, add the following text to your search:
-
-```
-| measure count() by Computer
-```
-
-This will ensure every computer only shows up once. Then, save your group by clicking **Save** and **Yes**. See the following example:
-
-
-
-Your new computer group will now be available in Upgrade Readiness. See the following example:
-
-
-
-### Using Computer Groups
-
-When you drill into a computer group, you will see that computers are categorized by **UpgradeDecision**. For computers with the status **Review in progress** or **Won’t upgrade** you can drill down to view issues that cause a computer to be in each category, or you can simply display a list of the computers in the category. For computers that are designated **Ready to upgrade**, you can go directly to the list of computers that are ready.
-
-
-
-Viewing a list of computers in a certain status is self-explanatory, Let’s look at what happens when you click the details link on **Review in progress**:
-
-
-
-Next, select if you want to see application issues (**UAApp**) or driver issues (**UADriver**). See the following example of selecting **UAApp**:
-
-
-
-A list of apps that require review so that Dell Computers are ready for upgrade to Windows 10 is displayed.
-
-### Upgrade assessment
-
-Upgrade assessment and guidance details are explained in the following table.
-
-| Upgrade assessment | Action required before or after upgrade pilot? | Issue | What it means | Guidance |
-|-----------------------|------------------------------------------------|----------|-----------------|---------------|
-| No known issues | No | None | Computers will upgrade seamlessly. | OK to use as-is in pilot. |
-| OK to pilot, fixed during upgrade | No, for awareness only | Application or driver will not migrate to new OS | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot. |
-| OK to pilot with new driver from Windows Update | Yes | Driver will not migrate to new OS | The currently installed version of a driver won’t migrate to the new operating system; however, a newer, compatible version is available from Windows Update. | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update.
If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading.
|
-
-Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file.
-
->**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
deleted file mode 100644
index 47787f4477..0000000000
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ /dev/null
@@ -1,194 +0,0 @@
----
-title: Upgrade Readiness deployment script (Windows 10)
-ms.reviewer:
-manager: laurawi
-ms.author: jaimeo
-description: Deployment script for Upgrade Readiness.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: jaimeo
-ms.topic: article
-ms.collection: M365-analytics
----
-
-# Upgrade Readiness deployment script
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
-
->[!IMPORTANT]
->Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
-
->[!IMPORTANT]
->The latest version of the Upgrade Readiness Script is **2.4.4 - 10.10.2018**
-
-For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/New-version-of-the-Upgrade-Analytics-Deployment-Script-available/ba-p/187164?advanced=false&collapse_discussion=true&q=new%20version%20of%20the%20upgrade%20analytics%20deployment%20script%20available&search_type=thread).
-
-> The following guidance applies to version **2.4.4 - 10.10.2018** of the Upgrade Readiness deployment script. If you are using an older version, download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
-
-The Upgrade Readiness deployment script does the following:
-
-1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
-2. Verifies that user computers can send data to Microsoft.
-3. Checks whether the computer has a pending restart.
-4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
-5. If enabled, turns on verbose mode for troubleshooting.
-6. Initiates the collection of the diagnostic data that Microsoft needs to assess your organization’s upgrade readiness.
-7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
-
-## Running the script
-
->There should be no performance impact caused by the script. The script is a light wrapper of Windows in-box components that undergo performance testing and optimization to avoid any performance impact. However, typically the script is scheduled to be run outside of working hours.
->
->Do not run the script at each sign-on. It is recommended to run the script once every 30 days.
->
->The length of time the script takes to run on each system depends on the number of apps and drivers, and the type of hardware. Anti-virus software scanning simultaneously can increase the script run time, but the script should require no longer than 10 minutes to run, and typically the time is much shorter. If the script is observed running for an extended period of time, please run the Pilot script, and collect logs to share with Microsoft. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
-
-To run the Upgrade Readiness deployment script:
-
-1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
-
-2. Edit the following parameters in RunConfig.bat:
-
- 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
-
- 2. Input your commercial ID key. To find your commercial ID, first navigate to the **Solutions** tab for your workspace, and then select the solution. From there, select the **Settings** page, where you can find and copy your commercial ID:
-
- 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
-
- > *logMode = 0 log to console only*
- >
- > *logMode = 1 log to file and console*
- >
- > *logMode = 2 log to file only*
-
-3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
-
- > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
- >
- > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
- >
- > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
- >
- > *IEOptInLevel = 3 Data collection is enabled for all sites*
-
-4. The deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**.
-
- The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
-
- This data gives us the ability to determine the status of your machines and to help troubleshoot issues. If you choose to opt-in to and send this data to Microsoft, you must also allow https traffic to be sent to the following wildcard endpoints:
-
- \*vortex\*.data.microsoft.com
- \*settings\*.data.microsoft.com
-
-5. The deployment script configures insider builds to continue to send the device name to the diagnostic data management service and the analytics portal. If you do not want to have insider builds send the device name sent to analytics and be available in the analytics portal, set **DeviceNAmeOptIn = false**. By default it is true, which preserves the behavior on previous versions of Windows. This setting only applies to insider builds. Note that the device name is also sent to AppInsights, so to ensure the device name is not sent to either place you would need to also set **AppInsightsOptIn = false**.
-
-6. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
-
-## Exit codes
-
-The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
-
-| Exit code | Suggested fix |
-|-----------|--------------|
-| 0 - Success | N/A |
-| 1 - Unexpected error occurred while executing the script. | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again. |
-| 2 - Error when logging to console. $logMode = 0. (console only) | Try changing the $logMode value to **1** and try again. $logMode value 1 logs to both console and file. |
-| 3 - Error when logging to console and file. $logMode = 1. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
-| 4 - Error when logging to file. $logMode = 2. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
-| 5 - Error when logging to console and file. $logMode = unknown. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
-| 6 - The commercialID parameter is set to unknown. | Modify the runConfig.bat file to set the CommercialID value. The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace. |
-| 8 - Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection**. The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. |
-| 9 - The script failed to write Commercial Id to registry.
-Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. |
-| 10 - Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the deployment script is running in a context that has access to the registry key. |
-| 11 - Function **SetupCommercialId** failed with an unexpected exception. The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the configuration script has access to this location. |
-| 12 - Can’t connect to Microsoft - Vortex. Check your network/proxy settings. | **Http Get** on the end points did not return a success exit code. For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive. For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) |
-| 13 - Can’t connect to Microsoft - setting. | An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. |
-| 14 - Can’t connect to Microsoft - compatexchange. An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). |
-| 15 - Function CheckVortexConnectivity failed with an unexpected exception. | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult. |
-| 16 - The computer requires a reboot before running the script. | Restart the device to complete the installation of the compatibility update and related updates. Reboot the computer before running the Upgrade Readiness deployment script. |
-| 17 - Function **CheckRebootRequired** failed with an unexpected exception. | Restart the device to complete installation of the compatibility update and related updates. Check the logs for the exception message and the HResult. |
-|18 - Appraiser KBs not installed or **appraiser.dll** not found. | Either the Appraiser-related updates are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic. |
-| 19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception. | Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed. |
-| 20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\WindowsNT \CurrentVersion\AppCompatFlags\Appraiser** | The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key. |
-| 21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 22 - **RunAppraiser** failed with unexpected exception. | Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file. |
-| 23 - Error finding system variable **%WINDIR%**. | Verify that this environment variable is configured on the computer. |
-| 24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult. |
-| 25 - The function **SetIEDataOptIn** failed with unexpected exception. | Check the logs for the exception message and HResult. |
-| 27 - The script is not running under **System** account. | The Upgrade Readiness configuration script must be run as **System**. |
-| 28 - Could not create log file at the specified **logPath**. | Make sure the deployment script has access to the location specified in the **logPath** parameter. |
-| 29 - Connectivity check failed for proxy authentication. | Install cumulative updates on the device and enable the **DisableEnterpriseAuthProxy** authentication proxy setting. The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688). |
-| 30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled. | The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). |
-| 31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. Use Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled by default to run daily at 0300. |
-| 32 - Appraiser version on the machine is outdated. | The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1. |
-| 33 - **CompatTelRunner.exe** exited with an exit code | **CompatTelRunner.exe** runs the appraise task on the device. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow. |
-| 34 - Function **CheckProxySettings** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 35 - Function **CheckAuthProxy** failed with an unexpected exception. Check the logs for the exception message and HResult. |
-| 36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 37 - **Diagnose_internal.cmd** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 38 - Function **Get-SqmID** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection** or **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | For Windows 10 devices, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will return an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
-| 40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 41 - The script failed to impersonate the currently logged on user. | The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the user that is logged on. The script also tries to mimic this, but the process failed. |
-| 42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 44 - Diagtrack.dll version is old, so Auth Proxy will not work. | Update the device using Windows Update or Windows Server Update Services. |
-| 45 - Diagtrack.dll was not found. | Update the device using Windows Update or Windows Server Update Services. |
-| 48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. | Copy the commercial ID from your workspace. To find your commercial ID, first navigate to the Solutions tab for your workspace in Azure Portal, and then select the solution. From there, select the **Settings** page, where you can find and copy your commercial ID.|
-| 50 - Diagtrack Service is not running. | The Diagtrack service is required to send data to Microsoft. Enable and run the "Connected User Experiences and Telemetry" service. |
-| 51 - RunCensus failed with an unexpected exception. | RunCensus explicitly runs the process used to collect device information. The method failed with an unexpected exception. The most common cause is incorrect setup of diagnostic data. Check the ExceptionHResult and ExceptionMessage for more details. |
-| 52 - DeviceCensus.exe not found on a Windows 10 machine. | On computers running Windows 10, the process devicecensus.exe should be present in the \system32 directory. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location. |
-| 53 - There is a different CommercialID present at the GPO path: **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection**. This will take precedence over the CommercialID provided in the script. | Provide the correct CommercialID at the GPO location. |
-| 54 - Microsoft Account Sign In Assistant Service is Disabled. | This service is required for devices running Windows 10. The diagnostic data client relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). |
-| 55 - SetDeviceNameOptIn function failed to create registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | The function SetDeviceNameOptIn sets the registry key value which determines whether to send the device name in diagnostic data. The function tries to create the registry key path if it does not already exist. Verify that the account has the correct permissions to change or add registry keys. |
-| 56 - SetDeviceNameOptIn function failed to create property AllowDeviceNameInTelemetry at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys.|
-| 57 - SetDeviceNameOptIn function failed to update AllowDeviceNameInTelemetry property to value 1 at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys. |
-| 58 - SetDeviceNameOptIn function failed with unexpected exception | The function SetDeviceNameOptIn failed with an unexpected exception. |
-| 59 - CleanupOneSettings failed to delete LastPersistedEventTimeOrFirstBoot property at registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Diagtrack** |The CleanupOneSettings function clears some of the cached values needed by the Appraiser which is the data collector on the monitored device. This helps in the download of the most recent for accurate running of the data collector. Verify that the account has the correct permissions to change or add registry keys. |
-| 60 - CleanupOneSettings failed to delete registry key: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ Diagnostics\Diagtrack\SettingsRequests** | Verify that the account has the correct permissions to change or add registry keys. |
-| 61 - CleanupOneSettings failed with an exception | CleanupOneSettings failed with an unexpected exception. |
-| 62 - AllowTelemetry property value at registry key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** is not of type REG_DWORD. It should be of type REG_DWORD. | Ensure that the **AllowTelemetry** property at path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** is a REG_DWORD. |
-| 63 - Diagnostic data is disabled for the device | If AllowTelemetry equals **0**, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. |
-| 64 - AllowTelemetry property value at registry key path **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is not of type REG_DWORD. It should be of type REG_DWORD. | Ensure that the **AllowTelemetry** property at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is a REG_DWORD. |
-| 65 - Diagnostic data is disabled for the device | If AllowTelemetry equals **0**, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**. |
-| 66 - All recent data uploads for the Universal Telemetry Client failed. | Review the UtcConnectionReport in WMI in the namespace **root\cimv2\mdm\dmmap** under the **MDM_Win32CompatibilityAppraiser_UniversalTelemetryClient01** class. Only SYSTEM has access to this class. Use [PSExec](https://docs.microsoft.com/sysinternals/downloads/psexec) to execute your WMI utility as SYSTEM. |
-| 67 - CheckUtcCsp failed with an exception | There was an error reading the WIM/CIM class **MDM_Win32CompatibilityAppraiser_UniversalTelemetryClient01** in the namespace **root\cimv2\mdm\dmmap**. Review system for WMI errors. |
-
-
-
-
-
-
-> [!NOTE]
-> **Additional steps to follow if you receive exit code 33**
->
-> Check the exit code for any of these messages:
->
-> - CompatTelRunner.exe exited with last error code: 0x800703F1
-> - CompatTelRunner.exe exited with last error code: 0x80070005
-> - CompatTelRunner.exe exited with last error code: 0x80080005
->
->
-> If the exit code includes any of those messages, then run these commands from an elevated command prompt:
->
-> 1. Net stop diagtrack
-> 2. Net stop pcasvc
-> 3. Net stop dps
-> 4. Del %windir%\appcompat\programs\amcache.hve
-> 5. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v AmiHivePermissionsCorrect /f
-> 6. reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v LogFlags /t REG_DWORD /d 4 /f
-> 7. Net start diagtrack
-> 8. Net start pcasvc
-> 9. Net start dps
->
-> Then run the Enterprise Config script (RunConfig.bat) again.
->
-> If the script still fails, then contact support@microsoft.com and share the log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well.
-
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
deleted file mode 100644
index 0e4b6350ae..0000000000
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: Get started with Upgrade Readiness (Windows 10)
-ms.reviewer:
-manager: laurawi
-description: Explains how to get started with Upgrade Readiness.
-keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics,
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
-author: jaimeo
-ms.author: jaimeo
-ms.localizationpriority: medium
-ms.topic: article
-ms.collection: M365-analytics
----
-
-# Get started with Upgrade Readiness
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-This topic explains how to obtain and configure Upgrade Readiness for your organization.
-
-You can use Upgrade Readiness to plan and manage your upgrade project end to end. Upgrade Readiness works by establishing communications between computers in your organization and Microsoft. Upgrade Readiness collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft.
-
-Before you begin, consider reviewing the following helpful information:
- - [Upgrade Readiness requirements](upgrade-readiness-requirements.md): Provides detailed requirements to use Upgrade Readiness.
- - [Upgrade Readiness blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/bg-p/WindowsAnalyticsBlog): Contains announcements of new features and provides helpful tips for using Upgrade Readiness.
-
->If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
-
-When you are ready to begin using Upgrade Readiness, perform the following steps:
-
-1. Review [data collection and privacy](#data-collection-and-privacy) information.
-2. [Add the Upgrade Readiness solution to your Azure subscription](#add-the-upgrade-readiness-solution-to-your-azure-subscription).
-3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics).
-4. [Use Upgrade Readiness to manage Windows Upgrades](#use-upgrade-readiness-to-manage-windows-upgrades) once your devices are enrolled.
-
-## Data collection and privacy
-
-To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information.
-
-## Add the Upgrade Readiness solution to your Azure subscription
-
-Upgrade Readiness is offered as a *solution* which you link to a new or existing [Azure Log Analytics](https://azure.microsoft.com/services/log-analytics/) *workspace* within your Azure *subscription*. To configure this, follow these steps:
-
-1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal.
-
- >[!NOTE]
- > Upgrade Readiness is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Upgrade Readiness, but no Azure charges are expected to accrue to the subscription as a result of using Upgrade Readiness.
-
-2. In the Azure portal select **Create a resource**, search for "Upgrade Readiness", and then select **Create** on the **Upgrade Readiness** solution.
- 
-
- 
-3. Choose an existing workspace or create a new workspace to host the Upgrade Readiness solution.
- 
- - If you are using other Windows Analytics solutions (Device Health or Update Compliance) you should add Upgrade Readiness to the same workspace.
- - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started:
- - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
- - For the resource group setting select **Create new** and use the same name you chose for your new workspace.
- - For the location setting, choose the Azure region where you would prefer the data to be stored.
- - For the pricing tier select **per GB**.
-4. Now that you have selected a workspace, you can go back to the Upgrade Readiness blade and select **Create**.
- 
-5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.CompatibilityAssessmentOMS' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear.
- 
- - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Upgrade Readiness solution.
- - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour.
-
-## Enroll devices in Windows Analytics
-
-
-Once you've added Upgrade Readiness to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started).
-
-
-
-## Use Upgrade Readiness to manage Windows Upgrades
-
-Now that your devices are enrolled, you can move on to [Use Upgrade Readiness to manage Windows Upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades).
diff --git a/windows/deployment/upgrade/upgrade-readiness-identify-apps.md b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md
deleted file mode 100644
index d726afe37b..0000000000
--- a/windows/deployment/upgrade/upgrade-readiness-identify-apps.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-title: Upgrade Readiness - Identify important apps (Windows 10)
-ms.reviewer:
-manager: laurawi
-ms.author: jaimeo
-description: Describes how to prepare your environment so that you can use Upgrade Readiness to manage Windows upgrades.
-ms.prod: w10
-audience: itpro
-author: jaimeo
-ms.topic: article
-ms.collection: M365-analytics
----
-
-# Upgrade Readiness - Step 1: Identify important apps
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-This is the first step of the Upgrade Readiness workflow. In this step, applications are listed and grouped by importance level. Setting the importance level enables you to prioritize applications for upgrade.
-
-
-
-
-
-Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them.
-
-To change an application’s importance level:
-
-1. Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level.
-2. Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list.
-3. Click **Save** when finished.
-
-Importance levels include:
-
-| Importance level | When to use it | Recommendation |
-|--------------------|------------------|------------------|
-| Low install count | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]
Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention. | Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. For example, payroll apps or tax accounting apps tend to be installed on a relatively small number of machines but are still considered business critical applications.
|
-| Not reviewed | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you set their importance level.
| Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. |
-| Business critical | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**.
| You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**. |
-| Important | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**. | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**. |
-| Ignore | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**. | Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing. If you set the importance level to ignore, and this is an app that you are not planning on testing or validating, consider changing the upgrade decision to **Ready to upgrade**. By marking these apps ready to upgrade, you are indicating that you are comfortable upgrading with the app remaining in its current state.
|
-| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. | As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.
Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**. |
-
diff --git a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md
deleted file mode 100644
index 76c3f064ee..0000000000
--- a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: Monitor deployment with Upgrade Readiness
-ms.reviewer:
-manager: laurawi
-description: Describes how to use Upgrade Readiness to monitor the deployment after Windows upgrades.
-keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics,
-ms.localizationpriority: medium
-ms.prod: w10
-audience: itpro
-author: jaimeo
-ms.author: jaimeo
-ms.topic: article
-ms.collection: M365-analytics
----
-
-# Upgrade Readiness - Step 4: Monitor
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-Now that you have started deploying an update with Upgrade Readiness, you can use it to monitor important elements.
-
-
-
-
-## Update progress
-
-The **Update progress** blade allows you to monitor the progress and status of your deployment. Any device that has attempted to upgrade in the last 30 days displays the **DeploymentStatus** attribute. You'll be able to see the number of computers that have successfully upgraded, failed to upgrade, are stalled, etc.
-
-
-Selecting this blade allows you to view device-level details about the deployment. For example, select **Failed** to view the original operating system version, the target operating system version, and the reason the update failed for each of the devices that failed to upgrade. In the case of the device illustrated in the following image, an attempt was made to upgrade from Windows 10, version 1703 to 1709, but the operation timed out.
-
-
-
-
-## Driver issues
-
-The **Driver issues** blade allows you to see Device Manager errors for your upgraded devices. We include data for all compatibility-related device errors, such as "driver not found" and "driver not started." The blade summarizes errors by error type, but you can select a particular error type to see device-level details about which device(s) are failing and where to obtain a driver.
-
-
-For example, by selecting error code **28 - driver not installed**, you would see that the device in the following image is missing the driver for a network controller. Upgrade Readiness also notifies that a suitable driver is available online through Windows Update. If this device is configured to automatically receive updates from Windows Update, this issue would likely resolve itself following the device's next Windows Update scan. If this device does not automatically receive updates from Windows Update, you would need to deliver the driver manually.
-
-
-
-## User feedback
-
-The **User Feedback** blade focuses on gathering subjective feedback from your end users. If a user submits feedback through the Feedback Hub app on a device in your workspace, we will make that feedback visible to you in this blade. The Feedback Hub app is built into Windows 10 and can be accessed by typing "Feedback Hub" in the Cortana search bar.
-
-
-We recommend that you encourage your end users to submit any feedback they have through Feedback Hub. Not only will this feedback be sent directly to Microsoft for review, but you'll also be able to see it by using Upgrade Readiness. You should be aware that **feedback submitted through Feedback Hub will be publicly visible**, so it's best to avoid submitting feedback about internal line-of-business applications.
-
-When viewing user feedback in Upgrade Readiness, you'll be able to see the raw "Title" and "Feedback" text from the user's submission in Feedback Hub, as well as the number of upvotes the submission has received. (Since feedback is publicly visible, the number of upvotes is a global value and not specific to your company.) If a Microsoft engineer has responded to the submission in Feedback Hub, we'll pull in the Microsoft response for you to see as well.
-
-
-
diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md
deleted file mode 100644
index b200bd292e..0000000000
--- a/windows/deployment/upgrade/upgrade-readiness-requirements.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: Upgrade Readiness requirements (Windows 10)
-ms.reviewer:
-manager: laurawi
-description: Provides requirements for Upgrade Readiness.
-keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics,
-ms.prod: w10
-audience: itpro
-author: jaimeo
-ms.author: jaimeo
-ms.localizationpriority: medium
-ms.topic: article
-ms.collection: M365-analytics
----
-
-# Upgrade Readiness requirements
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-This article introduces concepts and steps needed to get up and running with Upgrade Readiness. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Readiness.
-
-## Supported upgrade paths
-
-### Windows 7 and Windows 8.1
-
-To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows diagnostic data, Upgrade Readiness performs a full inventory of computers so that you can see which version of Windows is installed on each computer.
-
-The compatibility update that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
-
-
-
-If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center.
-
-> [!NOTE]
-> Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance.
-
-See [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) for additional information about computer system requirements.
-
-### Windows 10
-
-Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates.
-The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com).
-
-While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC.
-
-## Operations Management Suite or Azure Log Analytics
-
-Upgrade Readiness is offered as a solution in Azure Portal and Azure Log Analytics, a collection of cloud-based services for managing on premises and cloud computing environments. For more information about Azure Portal, see [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
-
-If you’re already using Azure Portal or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace.
-
-If you are not using Azure Portal or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it.
-
->[!IMPORTANT]
->You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to Azure Portal. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in Azure Portal. You also need an Azure subscription to link to your Azure Portal workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions.
-
-## System Center Configuration Manager integration
-
-Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
-
-
-
-## Important information about this release
-
-Before you get started configuring Upgrade Readiness, review the following tips and limitations about this release.
-
-**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises.
-
-**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in Azure Portal. Upgrade Readiness is supported in all Azure regions; however, selecting an international Azure region does not prevent diagnostic data from being sent to and processed in Microsoft's secure data centers in the US.
-
-### Tips
-
-- When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items.
-
-- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in Azure Portal, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby).
-
-## Get started
-
-See [Get started with Upgrade Readiness](upgrade-readiness-get-started.md) for detailed, step-by-step instructions for configuring Upgrade Readiness and getting started on your Windows upgrade project.
diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
deleted file mode 100644
index d657b61baa..0000000000
--- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
+++ /dev/null
@@ -1,220 +0,0 @@
----
-title: Upgrade Readiness - Resolve application and driver issues (Windows 10)
-ms.reviewer:
-manager: laurawi
-description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Readiness.
-keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics,
-ms.prod: w10
-audience: itpro
-author: jaimeo
-ms.author: jaimeo
-ms.localizationpriority: medium
-ms.topic: article
-ms.collection: M365-analytics
----
-
-# Upgrade Readiness - Step 2: Resolve app and driver issues
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-This section of the Upgrade Readiness workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them.
-
-## In this section
-
-The blades in the **Step 2: Resolve issues** section are:
-
-- [Review applications with known issues](#review-applications-with-known-issues)
-- [Review known driver issues](#review-drivers-with-known-issues)
-- [Review low-risk apps and drivers](#review-low-risk-apps-and-drivers)
-- [Prioritize app and driver testing](#prioritize-app-and-driver-testing)
-
->You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list.
-
-Upgrade decisions include:
-
-
-| Upgrade decision | When to use it | Guidance |
-|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Not reviewed | All drivers are marked as Not reviewed by default.
Any app that has not been marked **Low install count** will also have an upgrade decision of **Not reviewed** by default. | Apps you have not yet reviewed or are waiting to review later should be marked as **Not reviewed**. When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.
|
-| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.
Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.
| Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**. |
-| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.
In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. |
-| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.
Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade. | If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.
|
-
-As you review applications with known issues, you can also see ISV support statements or applications using [Ready for Windows](https://www.readyforwindows.com/).
-
-## Review applications with known issues
-
-Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**.
-
-
-
-
-
-To change an application's upgrade decision:
-
-1. Select **Decide upgrade readiness** to view applications with issues.
-2. In the table view, select an **UpgradeDecision** value.
-3. Select **Decide upgrade readiness** to change the upgrade decision for each application.
-4. Select the applications you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list.
-5. Click **Save** when finished.
-
-IMPORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information.
-
-For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible.
-
-| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance |
-|--------------------|-----------------------------------|-----------|-----------------|------------|
-| Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system. | No action is required for the upgrade to proceed. |
-| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Readiness is not able to remove the application during upgrade.
The application may work on the new operating system. | Remove the application before upgrading, and reinstall and test on new operating system. |
-| Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system. |
-| Attention needed | No | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade. | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system. |
-| Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading.
A compatible version of the application may be available. |
-| Attention needed | Yes | May block upgrade, test application | Issues were detected that may interfere with the upgrade, but need to be investigated further. | Test the application’s behavior during upgrade. If it blocks the upgrade, remove it before upgrading and reinstall and test it on the new operating system. |
-| Attention needed | Maybe | Multiple | Multiple issues are affecting the application. See detailed view for more information.| When you see Multiple in the query detailed view, click **Query** to see details about what issues were detected with the different versions of the application. |
-
-For applications assessed as **Fix available**, review the table below for details about known issues and ways to fix them that are known to Microsoft.
-
-| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance |
-|--------------------|-----------------------------------|----------|-----------------|-------------|
-| Fix available | Yes | Blocking upgrade, update application to newest version | The existing version of the application is not compatible with the new operating system and won’t migrate. A compatible version of the application is available. | Update the application before upgrading. |
-| Fix available | No | Reinstall application after upgrading | The application is compatible with the new operating system, but must be reinstalled after upgrading. The application is removed during the upgrade process. | No action is required for the upgrade to proceed. Reinstall application on the new operating system. |
-| Fix available | Yes | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate. | Remove the application before upgrading and reinstall on the new operating system. |
-| Fix available | Yes | Disk encryption blocking upgrade | The application’s encryption features are blocking the upgrade. | Disable the encryption feature before upgrading and enable it again after upgrading. |
-
-### ISV support for applications with Ready for Windows
-
-[Ready for Windows](https://www.readyforwindows.com/) lists software solutions that are supported and in use for Windows 10. This site leverages data about application adoption from commercial Windows 10 installations and helps IT managers upgrade to Windows 10 with confidence. For more information, see [Ready for Windows Frequently Asked Questions](https://developer.microsoft.com/windows/ready-for-windows/#/faq/).
-
-Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example:
-
-
-
-If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance.
-
-
-
-If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows.
-
-
-
-> [!TIP]
-> Within the Upgrade Readiness data model, an object of Type **UAApp** refers to a particular application installed on a specific computer.
->
-> To support dynamic aggregation and summation of data the Upgrade Readiness solution "rolls up" (aggregates) data in preprocessing. Rolling up to the **Granular** level enables display of the **App** level. In Upgrade Readiness terminology, an **App** is a unique combination of: app name, app vendor, app version, and app language. Thus, at the Granular level, you can see attributes such as **total install count**, which is the number of machines with a specific **App** installed.
->
-> Upgrade Readiness also has a roll up level of **NamePublisher**, This level enables you to ignore different app versions within your organization for a particular app. In other words, **NamePublisher** displays statistics about a given app, aggregated across all versions.
-
-The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/windows/ready-for-windows#/faq/?scrollTo=faqStatuses)
-
-| Ready for Windows Status | Query rollup level | What this means | Guidance |
-|-------------------|--------------------------|-----------------|----------|
-|Supported version available | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. |
-| Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. |
-| Adopted | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. |
-| Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A |
-| Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.|
-|Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.|
-|Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.|
-| Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A |
-
-## Review drivers with known issues
-
-Drivers that won’t migrate to the new operating system are listed, grouped by availability.
-
-
-
-Availability categories are explained in the table below.
-
-| Driver availability | Action required before or after upgrade? | What it means | Guidance |
-|-----------------------|------------------------------------------|----------------|--------------|
-| Available in-box | No, for awareness only | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | No action is required for the upgrade to proceed. |
-| Import from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system; however, a compatible version is available from Windows Update. | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading. |
-| Available in-box and from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system.
Although a new driver is installed during upgrade, a newer version is available from Windows Update. | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading. |
-| Check with vendor | Yes | The driver won’t migrate to the new operating system and we are unable to locate a compatible version. | Check with the independent hardware vendor (IHV) who manufactures the driver for a solution. |
-
-To change a driver’s upgrade decision:
-
-1. Select **Decide upgrade readiness** and then select the group of drivers you want to review. Select **Table** to view the list in a table.
-
-2. Select **User changes** to enable user input.
-
-3. Select the drivers you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list.
-
-4. Click **Save** when finished.
-
-## Review low-risk apps and drivers
-
-Applications and drivers that are meet certain criteria to be considered low risk are displayed on this blade.
-
-
-
-The first row reports the number of your apps that have an official statement of support on Windows 10 from the software vendor, so you can be confident that they will work on your target operating system.
-
-The second row (**Apps that are "Highly adopted"**) shows apps that have a ReadyForWindows status of "Highly adopted". This means that they have been installed on at least 100,000 commercial Windows 10 devices, and that Microsoft has not detected significant issues with the app in diagnostic data. Since these apps are prevalent in the ecosystem at large, you can be confident that they will work in your environment as well.
-
-Each row of the blade uses a different criterion to filter your apps or drivers. You can view a list of applications that meet the criterion by clicking into a row of the blade. For example, if you click the row that says "Apps that are 'Highly adopted'", the result is a list of apps that have a ReadyForWindows status of "Highly adopted". From here, you can bulk-select the results, select **Ready to upgrade**, and then click **Save**. This will mark all apps meeting the "Highly adopted" criterion as "Ready to upgrade"--no further validation is required. Any applications that you have marked as *Mission critical* or *Business critical* are filtered out, as well as any app that has an issue known to Microsoft. This allows you to work with apps in bulk without having to worry about missing a critical app.
-
-You can customize the criteria further by using the Log Search query language. For example, if a ReadyForWindows status of "Adopted" is not sufficient by itself for you to be confident in an app's compatibility, you can add additional filters. To do this, click the row labeled **Apps that are 'Adopted'**. Then, modify the resulting query to fit your company's risk tolerance. If, for example, you prefer that an app must be "Adopted" and have fewer than 1,000 installations, then add *TotalInstalls < 1000* to the end of the Log Search query. Similarly, you can append additional criteria by using other attributes such as monthly active users or app importance.
-
->[!NOTE]
->Apps that you have designated as *Mission critical* or *Business critical* are automatically **excluded** from the counts on this blade. If an app is critical, you should always validate it manually it prior to upgrading.
-
- At the bottom of the blade, the **OTHER APPS AND DRIVERS IN NEED OF REVIEW** section allows you to quickly access apps you have designated as **Mission critical** or **Business critical**, your remaining apps that still need to be reviewed, and your remaining drivers that need to be reviewed.
-
-
-
-## Prioritize app and driver testing
-
-Planning and executing an OS upgrade project can be overwhelming. When you are tasked with evaluating thousands of applications and drivers to ensure a successful upgrade, it can be difficult to decide where to start. The Upgrade Readiness solution provides valuable assistance for you, helping to determine the most important apps and drivers to unblock and enabling you yo create a proposed action plan.
-
-### Proposed action plan
-
-The Upgrade Readiness proposed action plan is an optimally ordered list of apps and drivers that are in need of review. By testing apps and drivers in the order suggested by the proposed action plan, you are able to increase your number of “Ready to upgrade” computers in an efficient manner. The action plan can be a very powerful tool during upgrade planning – but it’s most helpful when it’s used correctly. This topic explains the proposed action plan, describes how to use it, and calls out a few misconceptions and invalid use cases that you should avoid.
-
-The proposed action plan represents the order that Microsoft recommends you rationalize the upgrade-readiness of your apps and drivers. By validating apps and drivers in the order proposed, you can ensure that you are testing efficiently.
-
-Each item in the proposed action plan represents either an application or a driver that you have not yet marked “Ready to upgrade.”
-
->Since “Low install count” apps are automatically marked “Ready to upgrade”, you will not see any of these apps in the proposed action plan.
-
-Each item in the plan has the following attributes:
-
-| Attribute | Description | Example value |
-|-----------------------|------------------------------------------|----------------|
-| ItemRank | The location of this item in the context of the proposed action plan. For example, the item with ItemRank 7 is the 7th item in the Plan. It is crucial that the Plan is viewed in order by increasing ItemRank. Sorting the Plan in any other way invalidates the insights that the Plan provides. | 7 |
-| ItemType | Whether this item is an app or driver -- possible values are: "App" and "Driver." | App |
-| ItemName | The name of the app or driver that is in need of review. | Microsoft Visual C++ 2005 Redistributable (x64) |
-| ItemVendor | The vendor of the app or driver. | Microsoft Corporation |
-| ItemVersion | The version of the app or driver. | 12.1.0.1 |
-| ItemLanguage | If this item is an application, then this field will be the language of the app. If the item is a driver, then this will say "N/A." | English |
-| ItemHardwareId | If this item is a driver, then this field will be the hardware id of the driver. If the item is an app, then this will say "N/A." | N/A |
-| Upgrade Decision | The upgrade decision you have provided for this app or driver. If you have not defined an upgrade decision, then you will see the default value of “Not reviewed.” | Review in progress |
-| ComputersUnblocked | Assuming you have already marked all previous items in the proposed action plan “Ready to upgrade”, this represents the number of additional computers that will become “Ready to upgrade” by testing this app or driver and giving it an upgrade decision of “Ready to upgrade”. For example, if ComputersUnblocked is 200, then resolving any issues associated with the app/driver in question will make 200 new computers “Ready to upgrade.” | 200 |
-| CumulativeUnblocked | The total number of computers that will become “Ready to upgrade” if you validate and mark this and all prior items in the proposed action plan “Ready to upgrade”. For example, if ItemRank is 7, and CumulativeUnblocked is 950, then fixing items 1 thru 7 in the proposed action plan will cause 950 of your computers to become “Ready to upgrade.” | 950 |
-| CumulativeUnblockedPct | The percentage of your machines that will become “Ready to upgrade” if you make this and all prior items in the proposed action plan “Ready to upgrade.” | 0.24 |
-
-See the following example action plan items (click the image for a full-size view):
-
-
-
-
-In this example, the 3rd item is an application: Microsoft Bing Sports, a modern app, version 4.20.951.0, published by Microsoft. By validating this app and making its UpgradeDecision “Ready to upgrade”, you can potentially make 1014 computers “Ready to upgrade” – but only after you have already validated items 1 and 2 in the list. By marking items 1, 2, and 3 “Ready to upgrade”, 14779 of your computers will become upgrade-ready. This represents 10.96% of the machines in this workspace.
-
-#### Using the proposed action plan
-
-There are several valid use cases for the proposed action plan. But it’s always important to remember that the information presented in the Plan is only accurate when sorted by increasing Item Rank! Here are three potential cases in which you could use the proposed action plan:
-
-1. Quickly determine how many apps and drivers you’ll need to validate in order to make x% of your computers upgrade-ready. To determine this, simply find the first item in the Plan with a CumulativeUnblockedPct greater than or equal to your desired percentage of upgrade-ready computers. The corresponding ItemRank represents the smallest number of apps and drivers that you can validate in order to reach your upgrade readiness goal. The prior items in the proposed action plan itself represent the most efficient route to reaching your goal.
-
-2. Use the proposed action plan to prepare a small portion of your machines for a pilot of your target Operating System. Let’s say you want to test a new Operating System by upgrading a few hundred computers. You can use the proposed action plan to determine how many apps and drivers you will need to validate before you can be confident that your pilot will be successful.
-
-3. If your project deadline is approaching and you only have time to validate a few more apps and drivers, you can use the proposed action plan to determine which apps and drivers you should focus on to maximize the number of computers that you can confidently upgrade.
-
-#### Misconceptions and things to avoid
-
-The most common misconceptions about the proposed action plan involve the assumption that each item in the plan is independent of those around it. The apps and drivers in the plan must be considered in the correct order to draw valid conclusions. For example, if you choose to validate items 1, 3, 4, and 5 and mark each of them “Ready to upgrade,” the proposed action plan cannot tell you how many computers will become upgrade-ready as a result of your testing. Even the non-cumulative “ComputersUnblocked” count is dependent upon all prior issues having already been resolved.
-
-If an item with ItemRank = 7 has a ComputersUnblocked value of 50, do not assume that 50 of your computers will become upgrade-ready if you test this item. However, if you validate items 1 through 6 in the plan, you can make an additional 50 computers upgrade-ready by validating the 7th item in the plan.
diff --git a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
deleted file mode 100644
index 314fd7a5a2..0000000000
--- a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-title: Upgrade Readiness - Targeting a new operating system version
-ms.reviewer:
-manager: laurawi
-ms.author: jaimeo
-description: Explains how to run Upgrade Readiness again to target a different operating system version or bulk-approve all apps from a given vendor
-ms.prod: w10
-audience: itpro
-author: jaimeo
-ms.topic: article
-ms.collection: M365-analytics
----
-
-# Targeting a new operating system version
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-After you've used Upgrade Readiness to help deploy a given version of Windows 10, you might want to use it again to help deploy a newer version of Windows 10. When you change the target operating system version (as described in [Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version)), the app states (Importance, AppOwner, UpgradeDecision, TestPlan, and TestResult) are not reset. Follow this guidance to preserve or reset these states as needed:
-
-## TestResults
-
-If you want to preserve the TestResults from the previous operating system version testing, there is nothing you need to do.
-
-If you want to reset them, click any of the rows in the **Prioritize Application** blade (described in [Upgrade Readiness - Step 1: Identify important apps](upgrade-readiness-identify-apps.md)). This will take you to the **Log Search** user experience. Replace the query in that window with the following query:
-
-`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and TestResult <> "Not started"`
-
-After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **TestResult** to *Not started*. Leave all other fields as they are.
-
-## UpgradeDecision
-
-If you want to preserve the UpgradeDecision from the previous operating system version testing, there is nothing you need to do.
-
-If you want to reset them, keep these important points in mind:
-
-- Make sure to *not* reset the **Ready to upgrade** decision for the "long tail" of apps that have importance of **Ignore** or **Low install count**. Doing this will make it extremely difficult to complete the Upgrade Readiness workflow.
-- Decide which decisions to reset. For example, one option is just to reset the decisions marked **Ready to upgrade** (in order to retest those), while preserving states of apps marked **Won't upgrade**. Doing this means you won't lose track of this previous marking. Or you can reset everything.
-
-To do this, type the following query in **Log Search**:
-
-`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and Importance <> "Ignore" and Importance <> "Low install count" and UpgradeDecision == "Ready to upgrade"`
-
->[!NOTE]
->If you just want to reset all **UpgradeDecision** values, you can simply remove `'and UpgradeDecision == "Ready to upgrade"` from the query.
-
-After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **UpgradeDecision** to *Not reviewed*. Leave all other fields as they are.
-
-
-## Bulk-approving apps from a given vendor
-
-You can bulk-approve all apps from a given vendor (for example, Microsoft) if there are no known compatibility issues. To do this, type the following query in **Log Search**:
-
-`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and AppVendor has "Microsoft" and UpgradeAssessment=="No known issues" and UpgradeDecision<>"Ready to upgrade"`
-
-After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit" button**, and then set the **UpgradeDecision** to *Ready to upgrade*. Leave all other fields as they are.
-
-## Related topics
-
-[Windows Analytics overview](../update/windows-analytics-overview.md)
-
-[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)
-
-[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
-
diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
deleted file mode 100644
index 5a4b7b9357..0000000000
--- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-title: Upgrade Readiness - Upgrade Overview (Windows 10)
-ms.reviewer:
-manager: laurawi
-ms.author: jaimeo
-description: Displays the total count of computers sharing data and upgraded.
-ms.prod: w10
-audience: itpro
-author: jaimeo
-ms.topic: article
-ms.collection: M365-analytics
----
-
-# Upgrade Readiness - Upgrade overview
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
-The first blade in the Upgrade Readiness solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases.
-
-The upgrade overview blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version. For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version).
-
-The following color-coded status changes are reflected on the upgrade overview blade:
-
-- The "Last updated" banner:
- - No delay in processing device inventory data = "Last updated" banner is displayed in green.
- - Delay processing device inventory data = "Last updated" banner is displayed in amber.
-- Computers with incomplete data:
- - Less than 4% = Count is displayed in green.
- - 4% - 10% = Count is displayed in amber.
- - Greater than 10% = Count is displayed in red.
-- Computers with outdated KB:
- - Less than 10% = Count is displayed in green.
- - 10% - 30% = Count is displayed in amber.
- - Greater than 30% = Count is displayed in red.
-- User changes:
- - Pending user changes = User changes count displays "Data refresh pending" in amber.
- - No pending user changes = User changes count displays "Up to date" in green.
-- Target version:
- - If the current value matches the recommended value, the version is displayed in green.
- - If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber.
- - If the current value is a deprecated OS version, the version is displayed in red.
-
-Click a row to drill down and see details about individual computers. If updates are missing, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) for information on required updates.
-
-In the following example, there is no delay in data processing, more than 10% of computers (6k\8k) have incomplete data, more than 30% of computers (6k/8k) require an update, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
-
-
-
-
-
-If data processing is delayed, the "Last updated" banner will indicate the date on which data was last updated. You can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed until data is refreshed. When your workspace is in this state, there is no action required; data is typically refreshed and the display will return to normal again within 24 hours.
-
-If there are computers with incomplete data, verify that you have installed the latest compatibility updates. Install the updates if necessary and then run the most recent [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center. The updated data payload should appear in Upgrade Readiness within 48 hours of a successful run on the deployment script.
-
-Select **Total computers** for a list of computers and details about them, including:
-
-- Computer ID and computer name
-- Computer manufacturer
-- Computer model
-- Operating system version and build
-- Count of system requirement, application, and driver issues per computer
-- Upgrade assessment based on analysis of computer diagnostic data
-- Upgrade decision status
-
-Select **Total applications** for a list of applications discovered on user computers and details about them, including:
-
-- Application vendor
-- Application version
-- Count of computers the application is installed on
-- Count of computers that opened the application at least once in the past 30 days
-- Percentage of computers in your total computer inventory that opened the application in the past 30 days
-- Issues detected, if any
-- Upgrade assessment based on analysis of application data
-- Rollup level
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index c6118f8f14..f559f6feee 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -1,6 +1,6 @@
---
title: Perform in-place upgrade to Windows 10 via Configuration Manager
-description: In-place upgrades make upgrading Windows 7, Windows 8, and Windows 8.1 to Windows 10 easy -- you can even automate the whole process with a SCCM task sequence.
+description: In-place upgrades make upgrading Windows 7, Windows 8, and Windows 8.1 to Windows 10 easy -- you can even automate the whole process with a Microsoft Endpoint Configuration Manager task sequence.
ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
ms.reviewer:
manager: laurawi
@@ -21,7 +21,10 @@ ms.topic: article
- Windows 10
-The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process.
+The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Configuration Manager task sequence to completely automate the process.
+
+>[!IMPORTANT]
+>Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must removed from a device before performing an in-place upgrade to Windows 10.
## Proof-of-concept environment
@@ -111,10 +114,10 @@ Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequ
After the task sequence finishes, the computer will be fully upgraded to Windows 10.
-## Upgrade to Windows 10 with System Center Configuration Manager Current Branch
+## Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager Current Branch
-With System Center Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10.
+With Microsoft Endpoint Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10.
**Note**
For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released.
@@ -147,7 +150,7 @@ Figure 3. The Configuration Manager upgrade task sequence.
### Create a device collection
-After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of System Center Configuration Manager client installed.
+After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of Microsoft Endpoint Configuration Manager client installed.
1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
- General
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index 2a7e01c1d8..ee85dd816a 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -11,7 +11,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
ms.topic: article
---
@@ -24,7 +25,7 @@ The simplest path to upgrade PCs that are currently running Windows 7, Windows
## Proof-of-concept environment
-For the purposes of this topic, we will use four machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
deleted file mode 100644
index f2fffff9ad..0000000000
--- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Use Upgrade Readiness to manage Windows upgrades (Windows 10)
-ms.reviewer:
-manager: laurawi
-description: Describes how to use Upgrade Readiness to manage Windows upgrades.
-keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics,
-ms.localizationpriority: medium
-ms.prod: w10
-audience: itpro
-author: jaimeo
-ms.author: jaimeo
-ms.topic: article
----
-
-# Use Upgrade Readiness to manage Windows upgrades
-
->[!IMPORTANT]
->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
-
->[!IMPORTANT]
->>**The OMS portal has been deprecated, so you need to switch to the [Azure portal](https://portal.azure.com) now.** The two portals offer the same experience, with some key differences. Learn how to use [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md). Find out more about the [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition), or jump right in and [Get started with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started).
-
-You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues.
-
-- Based on diagnostic data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
-- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
-
-When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks.
-
-
-
-Blue tiles enumerate each step in the workflow. White tiles show data to help you get started, to monitor your progress, and to complete each step.
->**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are running a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Semi-Annual Channel.
-
-The following information and workflow is provided:
-
-- [Upgrade overview](upgrade-readiness-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers.
-- [Step 1: Identify important apps](upgrade-readiness-identify-apps.md): Assign importance levels to prioritize your applications.
-- [Step 2: Resolve issues](upgrade-readiness-resolve-issues.md): Identify and resolve problems with applications.
-- [Step 3: Deploy](upgrade-readiness-deploy-windows.md): Start the upgrade process.
-
-Also see the following topic for information about additional items that can be affected by the upgrade process:
-
-- [Additional insights](upgrade-readiness-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity.
-
-## Target version
-
-The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example:
-
-
-
-The default target version in Upgrade Readiness is set to the released version of the Semi-Annual Channel. Check [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx) to learn the current version in the Semi-Annual Channel. The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version.
-
-The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version.
-
-You can change the Windows 10 version you want to target. All currently supported versions of Windows 10 are available options.
-
-To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution:
-
-
-
->You must be signed in to Upgrade Readiness as an administrator to view settings.
-
-On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
-
-
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index d683bd63b3..e2806e3c0c 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -1,250 +1,251 @@
----
-title: Windows 10 edition upgrade (Windows 10)
-description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported.
-ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mobile
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows 10 edition upgrade
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page.
-
-For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf).
-
-The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
-
-Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](https://docs.microsoft.com/sccm/compliance/deploy-use/upgrade-windows-version) in System Center Configuration Manager.
-
- (X) = not supported
- (green checkmark) = supported, reboot required
- (blue checkmark) = supported, no reboot required
-
-
-
-| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store |
-|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |
-| **Home > Pro** |  |  |  |  |  |  |
-| **Home > Pro for Workstations** |  |  |  |  |  |  |
-| **Home > Pro Education** |  |  |  |  |  |  |
-| **Home > Education** |  |  |  |  |  |  |
-| **Pro > Pro for Workstations** |  |  |  |  (MSfB) |  |  |
-| **Pro > Pro Education** |  |  |  |  (MSfB) |  |  |
-| **Pro > Education** |  |  |  |  (MSfB) |  |  |
-| **Pro > Enterprise** |  |  |  |  (1703 - PC) (1709 - MSfB) |  |  |
-| **Pro for Workstations > Pro Education** |  |  |  |  (MSfB) |  |  |
-| **Pro for Workstations > Education** |  |  |  |  (MSfB) |  |  |
-| **Pro for Workstations > Enterprise** |  |  |  |  (1703 - PC) (1709 - MSfB) |  |  |
-| **Pro Education > Education** |  |  |  |  (MSfB) |  |  |
-| **Enterprise > Education** |  |  |  |  (MSfB) |  |  |
-| **Mobile > Mobile Enterprise** |  | |  |  |  |  |
-
-> [!NOTE]
-> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md)
-> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods.
->
-> - Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates.
-
-## Upgrade using mobile device management (MDM)
-- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907).
-
-- To upgrade mobile editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithLicense** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907).
-
-## Upgrade using a provisioning package
-Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition or mobile edition of Windows 10. To get started, [install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22).
-
-- To create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition.
-
-- To create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition.
-
-For more info about Windows Configuration Designer, see these topics:
-- [Create a provisioining package for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package)
-- [Apply a provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package)
-
-
-## Upgrade using a command-line tool
-You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10:
-
-`changepk.exe /ProductKey `
-
-You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise.
-
-`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43`
-
-
-## Upgrade by manually entering a product key
-If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually.
-
-**To manually enter a product key**
-
-1. From either the Start menu or the Start screen, type 'Activation' and click on the Activation shortcut.
-
-2. Click **Change product key**.
-
-3. Enter your product key.
-
-4. Follow the on-screen instructions.
-
-## Upgrade by purchasing a license from the Microsoft Store
-If you do not have a product key, you can upgrade your edition of Windows 10 through the Microsoft Store.
-
-**To upgrade through the Microsoft Store**
-
-1. From either the **Start** menu or the **Start** screen, type 'Activation' and click on the Activation shortcut.
-
-2. Click **Go to Store**.
-
-3. Follow the on-screen instructions.
-
- **Note** If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/).
-
-## License expiration
-
-Volume license customers whose license has expired will need to change the edition of Windows 10 to an edition with an active license. Switching to a downgraded edition of Windows 10 is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then your apps and settings can be migrated from the current edition. If a path is not supported, then a clean install is required.
-
-Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades.
-
-Note: If you are using [Windows 10 Enterprise Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires.
-
-### Scenario example
-
-Downgrading from Enterprise
-- Original edition: **Professional OEM**
-- Upgrade edition: **Enterprise**
-- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
-
-You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091).
-
-### Supported Windows 10 downgrade paths
-
-✔ = Supported downgrade path
- S = Supported; Not considered a downgrade or an upgrade
-[blank] = Not supported or not a downgrade
-
-
-
-
-
Destination edition
-
-
-
-
-
Home
-
Pro
-
Pro for Workstations
-
Pro Education
-
Education
-
Enterprise LTSC
-
Enterprise
-
-
-
Starting edition
-
-
-
Home
-
-
-
-
-
-
-
-
-
-
Pro
-
-
-
-
-
-
-
-
-
-
Pro for Workstations
-
-
-
-
-
-
-
-
-
-
Pro Education
-
-
-
-
-
-
-
-
-
-
Education
-
-
✔
-
✔
-
✔
-
-
-
S
-
-
-
Enterprise LTSC
-
-
-
-
-
-
-
-
-
-
Enterprise
-
-
✔
-
✔
-
✔
-
S
-
-
-
-
-
-> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
->
-> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above.
-
-Some slightly more complex scenarios are not represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.
-
-## Related topics
-
-[Windows 10 upgrade paths](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-upgrade-paths)
-[Windows 10 volume license media](https://docs.microsoft.com/windows/deployment/windows-10-media)
-[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation)
+---
+title: Windows 10 edition upgrade (Windows 10)
+description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported.
+ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mobile
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows 10 edition upgrade
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page.
+
+For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf).
+
+The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
+
+Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](https://docs.microsoft.com/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager.
+
+ (X) = not supported
+ (green checkmark) = supported, reboot required
+ (blue checkmark) = supported, no reboot required
+
+
+
+| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store |
+|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |
+| **Home > Pro** |  |  |  |  |  |  |
+| **Home > Pro for Workstations** |  |  |  |  |  |  |
+| **Home > Pro Education** |  |  |  |  |  |  |
+| **Home > Education** |  |  |  |  |  |  |
+| **Pro > Pro for Workstations** |  |  |  |  (MSfB) |  |  |
+| **Pro > Pro Education** |  |  |  |  (MSfB) |  |  |
+| **Pro > Education** |  |  |  |  (MSfB) |  |  |
+| **Pro > Enterprise** |  |  |  |  (1703 - PC) (1709 - MSfB) |  |  |
+| **Pro for Workstations > Pro Education** |  |  |  |  (MSfB) |  |  |
+| **Pro for Workstations > Education** |  |  |  |  (MSfB) |  |  |
+| **Pro for Workstations > Enterprise** |  |  |  |  (1703 - PC) (1709 - MSfB) |  |  |
+| **Pro Education > Education** |  |  |  |  (MSfB) |  |  |
+| **Enterprise > Education** |  |  |  |  (MSfB) |  |  |
+| **Mobile > Mobile Enterprise** |  | |  |  |  |  |
+
+> [!NOTE]
+> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md)
+> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods.
+>
+> - Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates.
+
+## Upgrade using mobile device management (MDM)
+- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907).
+
+- To upgrade mobile editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithLicense** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907).
+
+## Upgrade using a provisioning package
+Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition or mobile edition of Windows 10. To get started, [install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22).
+
+- To create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition.
+
+- To create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition.
+
+For more info about Windows Configuration Designer, see these topics:
+- [Create a provisioining package for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package)
+- [Apply a provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package)
+
+
+## Upgrade using a command-line tool
+You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10:
+
+`changepk.exe /ProductKey `
+
+You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise.
+
+`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43`
+
+
+## Upgrade by manually entering a product key
+If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually.
+
+**To manually enter a product key**
+
+1. From either the Start menu or the Start screen, type 'Activation' and click on the Activation shortcut.
+
+2. Click **Change product key**.
+
+3. Enter your product key.
+
+4. Follow the on-screen instructions.
+
+## Upgrade by purchasing a license from the Microsoft Store
+If you do not have a product key, you can upgrade your edition of Windows 10 through the Microsoft Store.
+
+**To upgrade through the Microsoft Store**
+
+1. From either the **Start** menu or the **Start** screen, type 'Activation' and click on the Activation shortcut.
+
+2. Click **Go to Store**.
+
+3. Follow the on-screen instructions.
+
+ **Note** If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/).
+
+## License expiration
+
+Volume license customers whose license has expired will need to change the edition of Windows 10 to an edition with an active license. Switching to a downgraded edition of Windows 10 is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then your apps and settings can be migrated from the current edition. If a path is not supported, then a clean install is required.
+
+Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades.
+
+Note: If you are using [Windows 10 Enterprise Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires.
+
+### Scenario example
+
+Downgrading from Enterprise
+- Original edition: **Professional OEM**
+- Upgrade edition: **Enterprise**
+- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
+
+You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091).
+
+### Supported Windows 10 downgrade paths
+
+✔ = Supported downgrade path
+ S = Supported; Not considered a downgrade or an upgrade
+[blank] = Not supported or not a downgrade
+
+
+
+
+
Destination edition
+
+
+
+
+
Home
+
Pro
+
Pro for Workstations
+
Pro Education
+
Education
+
Enterprise LTSC
+
Enterprise
+
+
+
Starting edition
+
+
+
Home
+
+
+
+
+
+
+
+
+
+
Pro
+
+
+
+
+
+
+
+
+
+
Pro for Workstations
+
+
+
+
+
+
+
+
+
+
Pro Education
+
+
+
+
+
+
+
+
+
+
Education
+
+
✔
+
✔
+
✔
+
+
+
S
+
+
+
Enterprise LTSC
+
+
+
+
+
+
+
+
+
+
Enterprise
+
+
✔
+
✔
+
✔
+
S
+
+
+
+
+
+> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
+>
+> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above.
+
+Some slightly more complex scenarios are not represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.
+
+## Related topics
+
+[Windows 10 upgrade paths](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-upgrade-paths)
+[Windows 10 volume license media](https://docs.microsoft.com/windows/deployment/windows-10-media)
+[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation)
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index bfc3a1013c..b23758ae60 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -1,154 +1,155 @@
----
-title: Common Migration Scenarios (Windows 10)
-description: Common Migration Scenarios
-ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Common Migration Scenarios
-
-
-You use the User State Migration Tool (USMT) 10.0 when hardware and/or operating system upgrades are planned for a large number of computers. USMT manages the migration of an end-user's digital identity by capturing the user's operating-system settings, application settings, and personal files from a source computer and reinstalling them on a destination computer after the upgrade has occurred.
-
-One common scenario when only the operating system, and not the hardware, is being upgraded is referred to as *PC refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system.
-
-## In This Topic
-
-
-[PC Refresh](#bkmk-pcrefresh)
-
-[Scenario One: PC-refresh offline using Windows PE and a hard-link migration store](#bkmk-onepcrefresh)
-
-[Scenario Two: PC-refresh using a compressed migration store](#bkmk-twopcrefresh)
-
-[Scenario Three: PC-refresh using a hard-link migration store](#bkmk-threepcrefresh)
-
-[Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store](#bkmk-fourpcrefresh)
-
-[PC Replacement](#bkmk-pcreplace)
-
-[Scenario One: Offline migration using Windows PE and an external migration store](#bkmk-onepcreplace)
-
-[Scenario Two: Manual network migration](#bkmk-twopcreplace)
-
-[Scenario Three: Managed network migration](#bkmk-threepcreplace)
-
-## PC-Refresh
-
-
-The following diagram shows a PC-refresh migration, also known as a computer refresh migration. First, the administrator migrates the user state from a source computer to an intermediate store. After installing the operating system, the administrator migrates the user state back to the source computer.
-
-
-
-
-
-
-
-### Scenario One: PC-refresh offline using Windows PE and a hard-link migration store
-
-A company has just received funds to update the operating system on all of its computers in the accounting department to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, the update is being handled completely offline, without a network connection. An administrator uses Windows Preinstallation Environment (WinPE) and a hard-link migration store to save each user state to their respective computer.
-
-1. On each computer, the administrator boots the machine into WinPE and runs the ScanState command-line tool, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive.
-
-2. On each computer, the administrator installs the company’s standard operating environment (SOE) which includes Windows 10 and other company applications.
-
-3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back to each computer.
-
-### Scenario Two: PC-refresh using a compressed migration store
-
-A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a compressed migration store to save the user states to a server.
-
-1. The administrator runs the ScanState command-line tool on each computer. ScanState saves each user state to a server.
-
-2. On each computer, the administrator installs the company's standard SOE which includes Windows 10 and other company applications.
-
-3. The administrator runs the LoadState command-line tool on each source computer, and LoadState restores each user state back to the computer.
-
-### Scenario Three: PC-refresh using a hard-link migration store
-
-A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a hard-link migration store to save each user state to their respective computer.
-
-1. The administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive.
-
-2. On each computer, the administrator installs the company's SOE which includes Windows 10 and other company applications.
-
-3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back on each computer.
-
-### Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store
-
-A company has decided to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses Windows.old and a hard-link migration store to save each user state to their respective computer.
-
-1. The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows.
-
-2. On each computer, the administrator installs the company’s SOE which includes company applications.
-
-3. The administrator runs the ScanState and LoadState command-line tools successively on each computer while specifying the **/hardlink /nocompress** command-line options.
-
-## PC-Replacement
-
-
-The following diagram shows a PC-replacement migration. First, the administrator migrates the user state from the source computer to an intermediate store. After installing the operating system on the destination computer, the administrator migrates the user state from the store to the destination computer.
-
-
-
-
-
-
-
-### Scenario One: Offline migration using WinPE and an external migration store
-
-A company is allocating 20 new computers to users in the accounting department. The users each have a source computer with their files and settings. In this scenario, migration is being handled completely offline, without a network connection.
-
-1. On each source computer, an administrator boots the machine into WinPE and runs ScanState to collect the user state to either a server or an external hard disk.
-
-2. On each new computer, the administrator installs the company's SOE which includes Windows 10 and other company applications.
-
-3. On each of the new computers, the administrator runs the LoadState tool, restoring each user state from the migration store to one of the new computers.
-
-### Scenario Two: Manual network migration
-
-A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the ScanState tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store.
-
-1. The administrator runs the ScanState tool on each of the manager’s old laptops, and saves each user state to a server.
-
-2. On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications.
-
-3. The administrator runs the LoadState tool on the new laptops to migrate the managers’ user states to the appropriate computer. The new laptops are now ready for the managers to use.
-
-4. On the old computers, the administrator installs the company’s SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use.
-
-### Scenario Three: Managed network migration
-
-A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a logon script or a batch file to run ScanState on each source computer to collect the user states and save them to a server in a compressed migration store.
-
-1. On each source computer, the administrator runs the ScanState tool using Microsoft System Center Configuration Manager (SCCM), Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server.
-
-2. On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications.
-
-3. On each of the new computers, the administrator runs the LoadState tool using System Center Configuration Manager, a logon script, a batch file, or a non-Microsoft management technology. LoadState migrates each user state from the migration store to one of the new computers.
-
-## Related topics
-
-
-[Plan Your Migration](usmt-plan-your-migration.md)
-
-[Choose a Migration Store Type](usmt-choose-migration-store-type.md)
-
-[Offline Migration Reference](offline-migration-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Common Migration Scenarios (Windows 10)
+description: Common Migration Scenarios
+ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Common Migration Scenarios
+
+
+You use the User State Migration Tool (USMT) 10.0 when hardware and/or operating system upgrades are planned for a large number of computers. USMT manages the migration of an end-user's digital identity by capturing the user's operating-system settings, application settings, and personal files from a source computer and reinstalling them on a destination computer after the upgrade has occurred.
+
+One common scenario when only the operating system, and not the hardware, is being upgraded is referred to as *PC refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system.
+
+## In This Topic
+
+
+[PC Refresh](#bkmk-pcrefresh)
+
+[Scenario One: PC-refresh offline using Windows PE and a hard-link migration store](#bkmk-onepcrefresh)
+
+[Scenario Two: PC-refresh using a compressed migration store](#bkmk-twopcrefresh)
+
+[Scenario Three: PC-refresh using a hard-link migration store](#bkmk-threepcrefresh)
+
+[Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store](#bkmk-fourpcrefresh)
+
+[PC Replacement](#bkmk-pcreplace)
+
+[Scenario One: Offline migration using Windows PE and an external migration store](#bkmk-onepcreplace)
+
+[Scenario Two: Manual network migration](#bkmk-twopcreplace)
+
+[Scenario Three: Managed network migration](#bkmk-threepcreplace)
+
+## PC-Refresh
+
+
+The following diagram shows a PC-refresh migration, also known as a computer refresh migration. First, the administrator migrates the user state from a source computer to an intermediate store. After installing the operating system, the administrator migrates the user state back to the source computer.
+
+
+
+
+
+
+
+### Scenario One: PC-refresh offline using Windows PE and a hard-link migration store
+
+A company has just received funds to update the operating system on all of its computers in the accounting department to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, the update is being handled completely offline, without a network connection. An administrator uses Windows Preinstallation Environment (WinPE) and a hard-link migration store to save each user state to their respective computer.
+
+1. On each computer, the administrator boots the machine into WinPE and runs the ScanState command-line tool, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive.
+
+2. On each computer, the administrator installs the company’s standard operating environment (SOE) which includes Windows 10 and other company applications.
+
+3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back to each computer.
+
+### Scenario Two: PC-refresh using a compressed migration store
+
+A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a compressed migration store to save the user states to a server.
+
+1. The administrator runs the ScanState command-line tool on each computer. ScanState saves each user state to a server.
+
+2. On each computer, the administrator installs the company's standard SOE which includes Windows 10 and other company applications.
+
+3. The administrator runs the LoadState command-line tool on each source computer, and LoadState restores each user state back to the computer.
+
+### Scenario Three: PC-refresh using a hard-link migration store
+
+A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a hard-link migration store to save each user state to their respective computer.
+
+1. The administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive.
+
+2. On each computer, the administrator installs the company's SOE which includes Windows 10 and other company applications.
+
+3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back on each computer.
+
+### Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store
+
+A company has decided to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses Windows.old and a hard-link migration store to save each user state to their respective computer.
+
+1. The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows.
+
+2. On each computer, the administrator installs the company’s SOE which includes company applications.
+
+3. The administrator runs the ScanState and LoadState command-line tools successively on each computer while specifying the **/hardlink /nocompress** command-line options.
+
+## PC-Replacement
+
+
+The following diagram shows a PC-replacement migration. First, the administrator migrates the user state from the source computer to an intermediate store. After installing the operating system on the destination computer, the administrator migrates the user state from the store to the destination computer.
+
+
+
+
+
+
+
+### Scenario One: Offline migration using WinPE and an external migration store
+
+A company is allocating 20 new computers to users in the accounting department. The users each have a source computer with their files and settings. In this scenario, migration is being handled completely offline, without a network connection.
+
+1. On each source computer, an administrator boots the machine into WinPE and runs ScanState to collect the user state to either a server or an external hard disk.
+
+2. On each new computer, the administrator installs the company's SOE which includes Windows 10 and other company applications.
+
+3. On each of the new computers, the administrator runs the LoadState tool, restoring each user state from the migration store to one of the new computers.
+
+### Scenario Two: Manual network migration
+
+A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the ScanState tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store.
+
+1. The administrator runs the ScanState tool on each of the manager’s old laptops, and saves each user state to a server.
+
+2. On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications.
+
+3. The administrator runs the LoadState tool on the new laptops to migrate the managers’ user states to the appropriate computer. The new laptops are now ready for the managers to use.
+
+4. On the old computers, the administrator installs the company’s SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use.
+
+### Scenario Three: Managed network migration
+
+A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a logon script or a batch file to run ScanState on each source computer to collect the user states and save them to a server in a compressed migration store.
+
+1. On each source computer, the administrator runs the ScanState tool using Microsoft Endpoint Configuration Manager, Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server.
+
+2. On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications.
+
+3. On each of the new computers, the administrator runs the LoadState tool using Microsoft Endpoint Configuration Manager, a logon script, a batch file, or a non-Microsoft management technology. LoadState migrates each user state from the migration store to one of the new computers.
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+[Choose a Migration Store Type](usmt-choose-migration-store-type.md)
+
+[Offline Migration Reference](offline-migration-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md
index 7c4185278b..183f7bc16e 100644
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@@ -1,53 +1,54 @@
----
-title: Test Your Migration (Windows 10)
-description: Test Your Migration
-ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Test Your Migration
-
-
-Always test your migration plan in a controlled laboratory setting before you deploy it to your entire organization. In your test environment, you need at least one computer for each type of operating system from which you are migrating data.
-
-After you have thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store.
-
-If your test migration encounters any errors, examine the ScanState and LoadState logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). You can also obtain more information about a Windows API error message by typing **net helpmsg** and the error message number on the command line.
-
-In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger.
-
-**Note**
-Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred.
-
-
-
-After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft® System Center Configuration Manager (SCCM), or a non-Microsoft management technology. For more information, see [Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=140246).
-
-**Note**
-For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration.
-
-
-
-## Related topics
-
-
-[Plan Your Migration](usmt-plan-your-migration.md)
-
-[Log Files](usmt-log-files.md)
-
-
-
-
-
-
-
-
-
+---
+title: Test Your Migration (Windows 10)
+description: Test Your Migration
+ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Test Your Migration
+
+
+Always test your migration plan in a controlled laboratory setting before you deploy it to your entire organization. In your test environment, you need at least one computer for each type of operating system from which you are migrating data.
+
+After you have thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store.
+
+If your test migration encounters any errors, examine the ScanState and LoadState logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). You can also obtain more information about a Windows API error message by typing **net helpmsg** and the error message number on the command line.
+
+In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger.
+
+**Note**
+Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred.
+
+
+
+After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft Endpoint Configuration Manager, or a non-Microsoft management technology. For more information, see [Manage user state in Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/manage-user-state).
+
+**Note**
+For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration.
+
+
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+[Log Files](usmt-log-files.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index 9cd6a07136..6b80a72d89 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -1,94 +1,95 @@
----
-title: Configure Client Computers (Windows 10)
-description: Configure Client Computers
-ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Configure Client Computers
-
-To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers:
-
-- An exception must be set in the client computer's firewall.
-- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations.
-
-Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows.
-
-**Important**
-This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://go.microsoft.com/fwlink/p/?LinkId=182933).
-
-## Configuring the Windows Firewall to allow VAMT access
-
-Enable the VAMT to access client computers using the **Windows Firewall** Control Panel:
-1. Open Control Panel and double-click **System and Security**.
-2. Click **Windows Firewall**.
-3. Click **Allow a program or feature through Windows Firewall**.
-4. Click the **Change settings** option.
-5. Select the **Windows Management Instrumentation (WMI)** checkbox.
-6. Click **OK**.
-
- **Warning**
- By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below.
-
-## Configure Windows Firewall to allow VAMT access across multiple subnets
-
-Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel:
-
-
-
-1. Open the Control Panel and double-click **Administrative Tools**.
-2. Click **Windows Firewall with Advanced Security**.
-3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private):
- - Windows Management Instrumentation (ASync-In)
- - Windows Management Instrumentation (DCOM-In)
- - Windows Management Instrumentation (WMI-In)
-
-4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel.
-
-5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box.
-
- - On the **General** tab, select the **Allow the connection** checkbox.
- - On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need.
- - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public).
-
-In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
-For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://go.microsoft.com/fwlink/p/?LinkId=182911).
-
-## Create a registry value for the VAMT to access workgroup-joined computer
-
-**Caution**
-This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://go.microsoft.com/fwlink/p/?LinkId=182912).
-
-On the client computer, create the following registry key using regedit.exe.
-
-1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system`
-2. Enter the following details:
- **Value Name: LocalAccountTokenFilterPolicy**
- **Type: DWORD**
- **Value Data: 1**
- **Note**
- To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client.
-
-## Deployment options
-
-There are several options for organizations to configure the WMI firewall exception for computers:
-- **Image.** Add the configurations to the master Windows image deployed to all clients.
-- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**.
-- **Script.** Execute a script using Microsoft System Center Configuration Manager or a third-party remote script execution facility.
-- **Manual.** Configure the WMI firewall exception individually on each client.
-The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception.
-
-## Related topics
-
-- [Install and Configure VAMT](install-configure-vamt.md)
-
-
+---
+title: Configure Client Computers (Windows 10)
+description: Configure Client Computers
+ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Configure Client Computers
+
+To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers:
+
+- An exception must be set in the client computer's firewall.
+- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations.
+
+Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows.
+
+**Important**
+This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://go.microsoft.com/fwlink/p/?LinkId=182933).
+
+## Configuring the Windows Firewall to allow VAMT access
+
+Enable the VAMT to access client computers using the **Windows Firewall** Control Panel:
+1. Open Control Panel and double-click **System and Security**.
+2. Click **Windows Firewall**.
+3. Click **Allow a program or feature through Windows Firewall**.
+4. Click the **Change settings** option.
+5. Select the **Windows Management Instrumentation (WMI)** checkbox.
+6. Click **OK**.
+
+ **Warning**
+ By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below.
+
+## Configure Windows Firewall to allow VAMT access across multiple subnets
+
+Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel:
+
+
+
+1. Open the Control Panel and double-click **Administrative Tools**.
+2. Click **Windows Firewall with Advanced Security**.
+3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private):
+ - Windows Management Instrumentation (ASync-In)
+ - Windows Management Instrumentation (DCOM-In)
+ - Windows Management Instrumentation (WMI-In)
+
+4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel.
+
+5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box.
+
+ - On the **General** tab, select the **Allow the connection** checkbox.
+ - On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need.
+ - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public).
+
+In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
+For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://go.microsoft.com/fwlink/p/?LinkId=182911).
+
+## Create a registry value for the VAMT to access workgroup-joined computer
+
+**Caution**
+This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://go.microsoft.com/fwlink/p/?LinkId=182912).
+
+On the client computer, create the following registry key using regedit.exe.
+
+1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system`
+2. Enter the following details:
+ **Value Name: LocalAccountTokenFilterPolicy**
+ **Type: DWORD**
+ **Value Data: 1**
+ **Note**
+ To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client.
+
+## Deployment options
+
+There are several options for organizations to configure the WMI firewall exception for computers:
+- **Image.** Add the configurations to the master Windows image deployed to all clients.
+- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**.
+- **Script.** Execute a script using Microsoft Endpoint Configuration Manager or a third-party remote script execution facility.
+- **Manual.** Configure the WMI firewall exception individually on each client.
+The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception.
+
+## Related topics
+
+- [Install and Configure VAMT](install-configure-vamt.md)
+
+
diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md
index 264ebca94c..e9c0da934f 100644
--- a/windows/deployment/volume-activation/vamt-requirements.md
+++ b/windows/deployment/volume-activation/vamt-requirements.md
@@ -31,17 +31,16 @@ The Volume Activation Management Tool (VAMT) can be used to perform activations
The following table lists the system requirements for the VAMT host computer.
-|Item |Minimum system requirement |
-|-----|---------------------------|
-|Computer and Processor |1 GHz x86 or x64 processor |
-|Memory |1 GB RAM for x86 or 2 GB RAM for x64 |
-|Hard Disk |16 GB available hard disk space for x86 or 20 GB for x64 |
-|External Drive|Removable media (Optional) |
-|Display |1024x768 or higher resolution monitor |
-|Network |Connectivity to remote computers via Windows® Management Instrumentation (TCP/IP) and Microsoft® Activation Web Service on the Internet via HTTPS |
-|Operating System |Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012. |
-|Additional Requirements |
Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server® 2012, PowerShell is included in the installation. For previous versions of Windows and
-Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).
If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
|
+| Item | Minimum system requirement |
+| ---- | ---------------------------|
+| Computer and Processor | 1 GHz x86 or x64 processor |
+| Memory | 1 GB RAM for x86 or 2 GB RAM for x64 |
+| Hard Disk | 16 GB available hard disk space for x86 or 20 GB for x64 |
+| External Drive | Removable media (Optional) |
+| Display | 1024x768 or higher resolution monitor |
+| Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS |
+| Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. |
+| Additional Requirements |
Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).
If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
|
## Related topics
- [Install and Configure VAMT](install-configure-vamt.md)
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index f36dea21ef..3ae808a4af 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -1,6 +1,6 @@
---
title: Windows 10 deployment process posters
-description: View and download Windows 10 deployment process flows for System Center Configuration Manager and Windows Autopilot.
+description: View and download Windows 10 deployment process flows for Microsoft Endpoint Configuration Manager and Windows Autopilot.
ms.reviewer:
manager: laurawi
ms.audience: itpro
@@ -21,7 +21,7 @@ ms.topic: article
**Applies to**
- Windows 10
-The following posters step through various options for deploying Windows 10 with Windows Autopilot or System Center Configuration Manager.
+The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Endpoint Configuration Manager.
## Deploy Windows 10 with Autopilot
@@ -29,7 +29,7 @@ The Windows Autopilot poster is two pages in portrait mode (11x17). Click the im
[](./media/Windows10AutopilotFlowchart.pdf)
-## Deploy Windows 10 with System Center Configuration Manager
+## Deploy Windows 10 with Microsoft Endpoint Configuration Manager
The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format.
@@ -38,4 +38,4 @@ The Configuration Manager poster is one page in landscape mode (17x11). Click th
## See also
[Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot)
-[Scenarios to deploy enterprise operating systems with Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems)
\ No newline at end of file
+[Scenarios to deploy enterprise operating systems with Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems)
\ No newline at end of file
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index ce54ecb1ff..cd3a28b0ca 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -25,7 +25,7 @@ ms.topic: article
To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.
The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories.
-- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home).
+- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home).
- Dynamic deployment methods enable you to configure applications and settings for specific use cases.
- Traditional deployment methods use existing tools to deploy operating system images.
@@ -109,7 +109,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Deploy a new device, or wipe an existing device and deploy with a fresh image.
@@ -121,7 +121,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state.
@@ -133,7 +133,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.
@@ -159,7 +159,7 @@ For more information about Windows Autopilot, see [Overview of Windows Autopilot
For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure.
-Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
+Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process.
@@ -206,7 +206,7 @@ While the initial Windows 10 release includes a variety of provisioning setting
## Traditional deployment:
-New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
+New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them.
@@ -269,7 +269,7 @@ The deployment process for the replace scenario is as follows:
## Related topics
- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357)
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index e241930c1e..e4cadbe165 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -1,258 +1,260 @@
----
-title: Windows 10 Enterprise E3 in CSP
-description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition.
-keywords: upgrade, update, task sequence, deploy
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-ms.date: 08/24/2017
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-audience: itpro
author: greg-lindsay
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Windows 10 Enterprise E3 in CSP
-
-Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following:
-
-- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded
-- Azure Active Directory (Azure AD) available for identity management
-
-Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro.
-
-Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
-
-When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits:
-
-- **Windows 10 Enterprise edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB).
-
-- **Support from one to hundreds of users**. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
-
-- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.
-
-- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days).
-
-- **Monthly, per-user pricing model**. This makes Windows 10 Enterprise E3 affordable for any organization.
-
-- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
-
-How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance?
-
-- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
-
-- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
-
- - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits.
-
- - **Training**. These benefits include training vouchers, online e-learning, and a home use program.
-
- - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server.
-
- - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums.
-
- In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses.
-
-In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition.
-
-## Compare Windows 10 Pro and Enterprise editions
-
-Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management.
-
-*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro*
-
-
-
-
-
-
-
-
-
Feature
-
Description
-
-
-
-
-
Credential Guard
-
This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks.
-
Credential Guard has the following features:
-
-
Hardware-level security. Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.
-
Virtualization-based security. Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.
-
Improved protection against persistent threats. Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.
-
Improved manageability. Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.
Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)
-
-
-
Device Guard
-
This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.
-
Device Guard does the following:
-
-
Helps protect against malware
-
Helps protect the Windows system core from vulnerability and zero-day exploits
This feature helps IT pros determine which applications and files users can run on a device (also known as “whitelisting”). The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.
With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
-
UE-V provides the ability to do the following:
-
-
Specify which application and Windows settings synchronize across user devices
-
Deliver the settings anytime and anywhere users work throughout the enterprise
-
Create custom templates for your third-party or line-of-business applications
-
Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state
This feature helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:
-
-
Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands
-
Removing Log Off (the User tile) from the Start menu
-
Removing frequent programs from the Start menu
-
Removing the All Programs list from the Start menu
-
Preventing users from customizing their Start screen
-
Forcing Start menu to be either full-screen size or menu size
-
Preventing changes to Taskbar and Start menu settings
-
-
-
-
-
-## Deployment of Windows 10 Enterprise E3 licenses
-
-See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
-
-## Deploy Windows 10 Enterprise features
-
-Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)?
-
-The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features.
-
-### Credential Guard\*
-
-You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods:
-
-- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.
-
-- **Manual**. You can manually turn on Credential Guard by doing the following:
-
- - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM).
-
- - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
-
- You can automate these manual steps by using a management tool such as System Center Configuration Manager.
-
-For more information about implementing Credential Guard, see the following resources:
-
-- [Protect derived domain credentials with Credential Guard](https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard)
-- [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx)
-- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
-
-\* *Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*
-
-### Device Guard
-
-Now that the devices have Windows 10 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps:
-
-1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate.
-
-2. **Create code integrity policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually.
-
-3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed.
-
-4. **Create a “catalog file” for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy.
-
-5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies.
-
-6. **Deploy code integrity policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly.
-
-7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
-
-For more information about implementing Device Guard, see:
-
-- [Planning and getting started on the Device Guard deployment process](https://technet.microsoft.com/itpro/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process)
-- [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide)
-
-### AppLocker management
-
-You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices.
-
-For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-policies-deployment-guide).
-
-### App-V
-
-App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that the you must have are as follows:
-
-- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.
-
-- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.
-
-- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10 Enterprise E3 devices.
-
-For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources:
-
-- [Getting Started with App-V for Windows 10](https://technet.microsoft.com/itpro/windows/manage/appv-getting-started)
-- [Deploying the App-V server](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-server)
-- [Deploying the App-V Sequencer and Configuring the Client](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client)
-
-### UE-V
-UE-V requires server- and client-side components that you you’ll need to download, activate, and install. These components include:
-
-- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices.
-
-- **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location.
-
-- **Settings storage location**. This location is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings.
-
-- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates are not required for Windows applications.
-
-- **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications.
-
-For more information about deploying UE-V, see the following resources:
-
-- [User Experience Virtualization (UE-V) for Windows 10 overview](https://technet.microsoft.com/itpro/windows/manage/uev-for-windows)
-- [Get Started with UE-V](https://technet.microsoft.com/itpro/windows/manage/uev-getting-started)
-- [Prepare a UE-V Deployment](https://technet.microsoft.com/itpro/windows/manage/uev-prepare-for-deployment)
-
-### Managed User Experience
-
-The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain.
-
-*Table 2. Managed User Experience features*
-
-| Feature | Description |
-|------------------|-----------------|
-| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](https://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy). |
-| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover. For more information on these settings, see [Unbranded Boot](https://msdn.microsoft.com/library/windows/hardware/mt571997(v=vs.85).aspx). |
-| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown. For more information on these settings, see [Custom Logon](https://msdn.microsoft.com/library/windows/hardware/mt571990(v=vs.85).aspx). |
-| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell. For more information on these settings, see [Shell Launcher](https://msdn.microsoft.com/library/windows/hardware/mt571994(v=vs.85).aspx). |
-| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose. For more information on these settings, see [Keyboard Filter](https://msdn.microsoft.com/library/windows/hardware/mt587088(v=vs.85).aspx). |
-| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume. For more information on these settings, see [Unified Write Filter](https://msdn.microsoft.com/library/windows/hardware/mt572001(v=vs.85).aspx). |
-
-## Related topics
-
-[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md)
- [Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
- [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
- [Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
+---
+title: Windows 10 Enterprise E3 in CSP
+description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition.
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mdt
+ms.date: 08/24/2017
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+audience: itpro
+author: greg-lindsay
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Windows 10 Enterprise E3 in CSP
+
+Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following:
+
+- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded
+- Azure Active Directory (Azure AD) available for identity management
+
+Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro.
+
+Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
+
+When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits:
+
+- **Windows 10 Enterprise edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB).
+
+- **Support from one to hundreds of users**. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
+
+- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.
+
+- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days).
+
+- **Monthly, per-user pricing model**. This makes Windows 10 Enterprise E3 affordable for any organization.
+
+- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
+
+How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance?
+
+- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
+
+- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
+
+ - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits.
+
+ - **Training**. These benefits include training vouchers, online e-learning, and a home use program.
+
+ - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server.
+
+ - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums.
+
+ In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses.
+
+In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition.
+
+## Compare Windows 10 Pro and Enterprise editions
+
+Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management.
+
+*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro*
+
+
+
+
+
+
+
+
+
Feature
+
Description
+
+
+
+
+
Credential Guard
+
This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks.
+
Credential Guard has the following features:
+
+
Hardware-level security. Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.
+
Virtualization-based security. Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.
+
Improved protection against persistent threats. Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.
+
Improved manageability. Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.
Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)
+
+
+
Device Guard
+
This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.
+
Device Guard does the following:
+
+
Helps protect against malware
+
Helps protect the Windows system core from vulnerability and zero-day exploits
This feature helps IT pros determine which applications and files users can run on a device (also known as “whitelisting”). The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.
With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
+
UE-V provides the ability to do the following:
+
+
Specify which application and Windows settings synchronize across user devices
+
Deliver the settings anytime and anywhere users work throughout the enterprise
+
Create custom templates for your third-party or line-of-business applications
+
Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state
This feature helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:
+
+
Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands
+
Removing Log Off (the User tile) from the Start menu
+
Removing frequent programs from the Start menu
+
Removing the All Programs list from the Start menu
+
Preventing users from customizing their Start screen
+
Forcing Start menu to be either full-screen size or menu size
+
Preventing changes to Taskbar and Start menu settings
+
+
+
+
+
+## Deployment of Windows 10 Enterprise E3 licenses
+
+See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
+
+## Deploy Windows 10 Enterprise features
+
+Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)?
+
+The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features.
+
+### Credential Guard\*
+
+You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods:
+
+- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.
+
+- **Manual**. You can manually turn on Credential Guard by doing the following:
+
+ - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM).
+
+ - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+ You can automate these manual steps by using a management tool such as Microsoft Endpoint Configuration Manager.
+
+For more information about implementing Credential Guard, see the following resources:
+
+- [Protect derived domain credentials with Credential Guard](https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard)
+- [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx)
+- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
+
+\* *Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*
+
+### Device Guard
+
+Now that the devices have Windows 10 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps:
+
+1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate.
+
+2. **Create code integrity policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually.
+
+3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed.
+
+4. **Create a “catalog file” for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy.
+
+5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies.
+
+6. **Deploy code integrity policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly.
+
+7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
+
+For more information about implementing Device Guard, see:
+
+- [Planning and getting started on the Device Guard deployment process](https://technet.microsoft.com/itpro/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process)
+- [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide)
+
+### AppLocker management
+
+You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices.
+
+For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-policies-deployment-guide).
+
+### App-V
+
+App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that the you must have are as follows:
+
+- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.
+
+- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.
+
+- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10 Enterprise E3 devices.
+
+For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources:
+
+- [Getting Started with App-V for Windows 10](https://technet.microsoft.com/itpro/windows/manage/appv-getting-started)
+- [Deploying the App-V server](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-server)
+- [Deploying the App-V Sequencer and Configuring the Client](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client)
+
+### UE-V
+UE-V requires server- and client-side components that you you’ll need to download, activate, and install. These components include:
+
+- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices.
+
+- **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location.
+
+- **Settings storage location**. This location is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings.
+
+- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates are not required for Windows applications.
+
+- **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications.
+
+For more information about deploying UE-V, see the following resources:
+
+- [User Experience Virtualization (UE-V) for Windows 10 overview](https://technet.microsoft.com/itpro/windows/manage/uev-for-windows)
+- [Get Started with UE-V](https://technet.microsoft.com/itpro/windows/manage/uev-getting-started)
+- [Prepare a UE-V Deployment](https://technet.microsoft.com/itpro/windows/manage/uev-prepare-for-deployment)
+
+### Managed User Experience
+
+The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain.
+
+*Table 2. Managed User Experience features*
+
+| Feature | Description |
+|------------------|-----------------|
+| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](https://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy). |
+| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover. For more information on these settings, see [Unbranded Boot](https://msdn.microsoft.com/library/windows/hardware/mt571997(v=vs.85).aspx). |
+| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown. For more information on these settings, see [Custom Logon](https://msdn.microsoft.com/library/windows/hardware/mt571990(v=vs.85).aspx). |
+| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell. For more information on these settings, see [Shell Launcher](https://msdn.microsoft.com/library/windows/hardware/mt571994(v=vs.85).aspx). |
+| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose. For more information on these settings, see [Keyboard Filter](https://msdn.microsoft.com/library/windows/hardware/mt587088(v=vs.85).aspx). |
+| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume. For more information on these settings, see [Unified Write Filter](https://msdn.microsoft.com/library/windows/hardware/mt572001(v=vs.85).aspx). |
+
+## Related topics
+
+[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md)
+ [Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
+ [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
+ [Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index 2b435c0edc..24743735e8 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -44,7 +44,7 @@ For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can
-When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or System Center Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update.
+When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update.
For packages published to Windows Server Update Services (WSUS), you’ll also notice the change because, instead of having separate packages for each Windows edition, there will be just one package:
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index 87eea0e845..a9ffbb1c73 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -1,655 +1,657 @@
----
-title: Step by step - Deploy Windows 10 in a test lab using MDT
-description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT)
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-keywords: deployment, automate, tools, configure, mdt
-ms.localizationpriority: medium
-ms.date: 10/11/2017
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-
-# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
-
-**Applies to**
-
-- Windows 10
-
-**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide:
-- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
-
-Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
-- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
-
-The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
-- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
-- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
-- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network.
-
->This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
-
-## In this guide
-
-This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image.
-
-Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
-
-
-
-
-
-## About MDT
-
-MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
-- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
-- ZTI is fully automated, requiring no user interaction and is performed using MDT and System Center Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
-- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and System Center Configuration Manager.
-
-## Install MDT
-
-1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
-
- ```
- $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
- Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
- Stop-Process -Name Explorer
- ```
-2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
-
-3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
-
-3. If desired, re-enable IE Enhanced Security Configuration:
-
- ```
- Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
- Stop-Process -Name Explorer
- ```
-
-## Create a deployment share and reference image
-
-A reference image serves as the foundation for Windows 10 devices in your organization.
-
-1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
-
- ```
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
- ```
-2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
-
-3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
-
-4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then click **Pin this program to the taskbar**.
-
-5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
-
-6. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTBuildLab**
- - Share name: **MDTBuildLab$**
- - Deployment share description: **MDT build lab**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
- - Progress: settings will be applied
- - Confirmation: click **Finish**
-
-
-7. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
-
-8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**.
-
-9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
-
-10. Use the following settings for the Import Operating System Wizard:
- - OS Type: **Full set of source files**
- - Source: **D:\\**
- - Destination: **W10Ent_x64**
- - Summary: click **Next**
- - Progress: wait for files to be copied
- - Confirmation: click **Finish**
-
- >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
-
-11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- - Task sequence ID: **REFW10X64-001**
- - Task sequence name: **Windows 10 Enterprise x64 Default Image**
- - Task sequence comments: **Reference Build**
- - Template: **Standard Client Task Sequence**
- - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
- - Specify Product Key: **Do not specify a product key at this time**
- - Full Name: **Contoso**
- - Organization: **Contoso**
- - Internet Explorer home page: **http://www.contoso.com**
- - Admin Password: **Do not specify an Administrator password at this time**
- - Summary: click **Next**
- - Confirmation: click **Finish**
-
-
-12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
-
-13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**.
-
-14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change.
-
-15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**.
-
-16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**.
-
-17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
-
- >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
-
-18. Click **OK** to complete editing the task sequence.
-
-19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab.
-
-20. Replace the default rules with the following text:
-
- ```
- [Settings]
- Priority=Default
-
- [Default]
- _SMSTSORGNAME=Contoso
- UserDataLocation=NONE
- DoCapture=YES
- OSInstall=Y
- AdminPassword=pass@word1
- TimeZoneName=Pacific Standard Time
- OSDComputername=#Left("PC-%SerialNumber%",7)#
- JoinWorkgroup=WORKGROUP
- HideShell=YES
- FinishAction=SHUTDOWN
- DoNotCreateExtraPartition=YES
- ApplyGPOPack=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=YES
- SkipDomainMembership=YES
- SkipUserData=YES
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=YES
- SkipBitLocker=YES
- SkipSummary=YES
- SkipRoles=YES
- SkipCapture=NO
- SkipFinalSummary=NO
- ```
-
-21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
-
- ```
- [Settings]
- Priority=Default
-
- [Default]
- DeployRoot=\\SRV1\MDTBuildLab$
- UserDomain=CONTOSO
- UserID=MDT_BA
- UserPassword=pass@word1
- SkipBDDWelcome=YES
- ```
-
-22. Click **OK** to complete the configuration of the deployment share.
-
-23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**.
-
-24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, click **Finish**.
-
-25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
-
- >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
-
-26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
-
-
-
- The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
-
-27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
-
-28. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
-
- Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
-
- - Install the Windows 10 Enterprise operating system.
- - Install added applications, roles, and features.
- - Update the operating system using Windows Update (or WSUS if optionally specified).
- - Stage Windows PE on the local disk.
- - Run System Preparation (Sysprep) and reboot into Windows PE.
- - Capture the installation to a Windows Imaging (WIM) file.
- - Turn off the virtual machine.
-
- This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**.
-
-## Deploy a Windows 10 image using MDT
-
-This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT.
-
-1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard:
- - **Deployment share path**: C:\MDTProd
- - **Share name**: MDTProd$
- - **Deployment share description**: MDT Production
- - **Options**: accept the default
-
-
-2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**.
-
-3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values.
-
-4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
-
-5. On the **OS Type** page, choose **Custom image file** and then click **Next**.
-
-6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**.
-
-7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**.
-
-8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**.
-
-9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**.
-
-10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example:
-
- 
-
-
-### Create the deployment task sequence
-
-1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**.
-
-2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- - Task sequence ID: W10-X64-001
- - Task sequence name: Windows 10 Enterprise x64 Custom Image
- - Task sequence comments: Production Image
- - Select Template: Standard Client Task Sequence
- - Select OS: Windows 10 Enterprise x64 Custom Image
- - Specify Product Key: Do not specify a product key at this time
- - Full Name: Contoso
- - Organization: Contoso
- - Internet Explorer home page: http://www.contoso.com
- - Admin Password: pass@word1
-
-### Configure the MDT production deployment share
-
-1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
-
- ```
- copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
- copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
- ```
-2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**.
-
-3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet):
-
- ```
- [Settings]
- Priority=Default
-
- [Default]
- _SMSTSORGNAME=Contoso
- OSInstall=YES
- UserDataLocation=AUTO
- TimeZoneName=Pacific Standard Time
- OSDComputername=#Left("PC-%SerialNumber%",7)#
- AdminPassword=pass@word1
- JoinDomain=contoso.com
- DomainAdmin=administrator
- DomainAdminDomain=CONTOSO
- DomainAdminPassword=pass@word1
- ScanStateArgs=/ue:*\* /ui:CONTOSO\*
- USMTMigFiles001=MigApp.xml
- USMTMigFiles002=MigUser.xml
- HideShell=YES
- ApplyGPOPack=NO
- SkipAppsOnUpgrade=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=YES
- SkipDomainMembership=YES
- SkipUserData=YES
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=NO
- SkipBitLocker=YES
- SkipSummary=YES
- SkipCapture=YES
- SkipFinalSummary=NO
- EventService=http://SRV1:9800
- ```
- **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini.
-
- >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified.
-
- If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui):
-
- ```
- ScanStateArgs=/ue:*\* /ui:CONTOSO\*
- ```
-
- For example, to migrate **all** users on the computer, replace this line with the following:
-
- ```
- ScanStateArgs=/all
- ```
-
- For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx).
-
-4. Click **Edit Bootstap.ini** and replace text in the file with the following text:
-
- ```
- [Settings]
- Priority=Default
-
- [Default]
- DeployRoot=\\SRV1\MDTProd$
- UserDomain=CONTOSO
- UserID=MDT_BA
- UserPassword=pass@word1
- SkipBDDWelcome=YES
- ```
-5. Click **OK** when finished.
-
-### Update the deployment share
-
-1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**.
-
-2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete.
-
-3. Click **Finish** when the update is complete.
-
-### Enable deployment monitoring
-
-1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**.
-
-2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
-
-3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/).
-
-4. Close Internet Explorer.
-
-### Configure Windows Deployment Services
-
-1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
- WDSUTIL /Set-Server /AnswerClients:All
- ```
-
-2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**.
-
-3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**.
-
-4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image.
-
-### Deploy the client image
-
-1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway.
-
- >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress**
-
- Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command:
-
- ```
- Disable-NetAdapter "Ethernet 2" -Confirm:$false
- ```
-
- >Wait until the disable-netadapter command completes before proceeding.
-
-
-2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt:
-
- ```
- New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
- Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20
- ```
-
- >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle.
-
-3. Start the new VM and connect to it:
-
- ```
- Start-VM PC2
- vmconnect localhost PC2
- ```
-4. When prompted, hit ENTER to start the network boot process.
-
-5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
-
-6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command:
-
- ```
- Enable-NetAdapter "Ethernet 2"
- ```
-7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed.
-8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator.
-
- 
-
-
-This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section.
-
-## Refresh a computer with Windows 10
-
-This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md).
-
-1. If the PC1 VM is not already running, then start and connect to it:
-
- ```
- Start-VM PC1
- vmconnect localhost PC1
- ```
-
-2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```
- Checkpoint-VM -Name PC1 -SnapshotName BeginState
- ```
-
-3. Sign on to PC1 using the CONTOSO\Administrator account.
-
- >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
-
-4. Open an elevated command prompt on PC1 and type the following:
-
- ```
- cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
- ```
-
- **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer.
-
-5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
-
-6. Choose **Do not back up the existing computer** and click **Next**.
-
- **Note**: The USMT will still back up the computer.
-
-7. Lite Touch Installation will perform the following actions:
- - Back up user settings and data using USMT.
- - Install the Windows 10 Enterprise X64 operating system.
- - Update the operating system via Windows Update.
- - Restore user settings and data using USMT.
-
- You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings.
-
-8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
-
-9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```
- Checkpoint-VM -Name PC1 -SnapshotName RefreshState
- ```
-
-10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```
- Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
- Start-VM PC1
- vmconnect localhost PC1
- ```
-
-11. Sign in to PC1 using the contoso\administrator account.
-
-## Replace a computer with Windows 10
-
-At a high level, the computer replace process consists of:
-- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.
-- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored.
-
-### Create a backup-only task sequence
-
-1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**.
-2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share.
-3. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- New-Item -Path C:\MigData -ItemType directory
- New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE
- icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)'
- ```
-4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**.
-5. Name the new folder **Other**, and complete the wizard using default options.
-6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard:
- - **Task sequence ID**: REPLACE-001
- - **Task sequence name**: Backup Only Task Sequence
- - **Task sequence comments**: Run USMT to back up user data and settings
- - **Template**: Standard Client Replace Task Sequence (note: this is not the default template)
-7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings.
-8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence.
-
-### Run the backup-only task sequence
-
-1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt:
-
- ```
- whoami
- ```
-2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1:
-
- ```
- Remove-Item c:\minint -recurse
- Remove-Item c:\_SMSTaskSequence -recurse
- Restart-Computer
- ```
-3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt:
-
- ```
- cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
- ```
-4. Complete the deployment wizard using the following:
- - **Task Sequence**: Backup Only Task Sequence
- - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1**
- - **Computer Backup**: Do not back up the existing computer.
-5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.
-6. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete.
-7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
-
- ```
- PS C:\> dir C:\MigData\PC1\USMT
-
- Directory: C:\MigData\PC1\USMT
-
- Mode LastWriteTime Length Name
- ---- ------------- ------ ----
- -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG
- ```
- ### Deploy PC3
-
-8. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt:
-
- ```
- New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
- Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
- ```
-9. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- Disable-NetAdapter "Ethernet 2" -Confirm:$false
- ```
-
- >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding.
-
-
-10. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```
- Start-VM PC3
- vmconnect localhost PC3
- ```
-
-11. When prompted, press ENTER for network boot.
-
-12. On PC3, use the following settings for the Windows Deployment Wizard:
- - **Task Sequence**: Windows 10 Enterprise x64 Custom Image
- - **Move Data and Settings**: Do not move user data and settings
- - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1**
-
-13. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1:
-
- ```
- Enable-NetAdapter "Ethernet 2"
- ```
-14. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1.
-
-15. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**.
-
-16. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure.
-
-17. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure.
-
-## Troubleshooting logs, events, and utilities
-
-Deployment logs are available on the client computer in the following locations:
-- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS
-- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS
-- After deployment: %WINDIR%\TEMP\DeploymentLogs
-
-You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**.
-
-Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012)
-
-Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information.
-
-## Related Topics
-
-[Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741)
-[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
-
-
-
-
-
-
-
+---
+title: Step by step - Deploy Windows 10 in a test lab using MDT
+description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT)
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, mdt
+ms.localizationpriority: medium
+ms.date: 10/11/2017
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+
+# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
+
+**Applies to**
+
+- Windows 10
+
+**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide:
+- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
+
+Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
+- [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
+
+The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
+- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
+- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
+- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network.
+
+>This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
+
+## In this guide
+
+This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image.
+
+Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
+
+
+
+
+
+## About MDT
+
+MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
+- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
+- ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Endpoint Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
+- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Endpoint Configuration Manager.
+
+## Install MDT
+
+1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
+
+ ```
+ $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
+ Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
+ Stop-Process -Name Explorer
+ ```
+2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
+
+3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
+
+3. If desired, re-enable IE Enhanced Security Configuration:
+
+ ```
+ Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
+ Stop-Process -Name Explorer
+ ```
+
+## Create a deployment share and reference image
+
+A reference image serves as the foundation for Windows 10 devices in your organization.
+
+1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
+
+ ```
+ Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
+ ```
+2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
+
+3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
+
+4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then click **Pin this program to the taskbar**.
+
+5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+
+6. Use the following settings for the New Deployment Share Wizard:
+ - Deployment share path: **C:\MDTBuildLab**
+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT build lab**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish**
+
+
+7. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
+
+8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**.
+
+9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
+
+10. Use the following settings for the Import Operating System Wizard:
+ - OS Type: **Full set of source files**
+ - Source: **D:\\**
+ - Destination: **W10Ent_x64**
+ - Summary: click **Next**
+ - Progress: wait for files to be copied
+ - Confirmation: click **Finish**
+
+ >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
+
+11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+ - Task sequence ID: **REFW10X64-001**
+ - Task sequence name: **Windows 10 Enterprise x64 Default Image**
+ - Task sequence comments: **Reference Build**
+ - Template: **Standard Client Task Sequence**
+ - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
+ - Specify Product Key: **Do not specify a product key at this time**
+ - Full Name: **Contoso**
+ - Organization: **Contoso**
+ - Internet Explorer home page: **http://www.contoso.com**
+ - Admin Password: **Do not specify an Administrator password at this time**
+ - Summary: click **Next**
+ - Confirmation: click **Finish**
+
+
+12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
+
+13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**.
+
+14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change.
+
+15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**.
+
+16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**.
+
+17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
+
+ >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
+
+18. Click **OK** to complete editing the task sequence.
+
+19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab.
+
+20. Replace the default rules with the following text:
+
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ _SMSTSORGNAME=Contoso
+ UserDataLocation=NONE
+ DoCapture=YES
+ OSInstall=Y
+ AdminPassword=pass@word1
+ TimeZoneName=Pacific Standard Time
+ OSDComputername=#Left("PC-%SerialNumber%",7)#
+ JoinWorkgroup=WORKGROUP
+ HideShell=YES
+ FinishAction=SHUTDOWN
+ DoNotCreateExtraPartition=YES
+ ApplyGPOPack=NO
+ SkipAdminPassword=YES
+ SkipProductKey=YES
+ SkipComputerName=YES
+ SkipDomainMembership=YES
+ SkipUserData=YES
+ SkipLocaleSelection=YES
+ SkipTaskSequence=NO
+ SkipTimeZone=YES
+ SkipApplications=YES
+ SkipBitLocker=YES
+ SkipSummary=YES
+ SkipRoles=YES
+ SkipCapture=NO
+ SkipFinalSummary=NO
+ ```
+
+21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
+
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ DeployRoot=\\SRV1\MDTBuildLab$
+ UserDomain=CONTOSO
+ UserID=MDT_BA
+ UserPassword=pass@word1
+ SkipBDDWelcome=YES
+ ```
+
+22. Click **OK** to complete the configuration of the deployment share.
+
+23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**.
+
+24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, click **Finish**.
+
+25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
+
+ >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
+
+26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
+
+
+
+ The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
+
+27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
+
+28. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
+
+ Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
+
+ - Install the Windows 10 Enterprise operating system.
+ - Install added applications, roles, and features.
+ - Update the operating system using Windows Update (or WSUS if optionally specified).
+ - Stage Windows PE on the local disk.
+ - Run System Preparation (Sysprep) and reboot into Windows PE.
+ - Capture the installation to a Windows Imaging (WIM) file.
+ - Turn off the virtual machine.
+
+ This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**.
+
+## Deploy a Windows 10 image using MDT
+
+This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT.
+
+1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard:
+ - **Deployment share path**: C:\MDTProd
+ - **Share name**: MDTProd$
+ - **Deployment share description**: MDT Production
+ - **Options**: accept the default
+
+
+2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**.
+
+3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values.
+
+4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
+
+5. On the **OS Type** page, choose **Custom image file** and then click **Next**.
+
+6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**.
+
+7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**.
+
+8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**.
+
+9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**.
+
+10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example:
+
+ 
+
+
+### Create the deployment task sequence
+
+1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**.
+
+2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+ - Task sequence ID: W10-X64-001
+ - Task sequence name: Windows 10 Enterprise x64 Custom Image
+ - Task sequence comments: Production Image
+ - Select Template: Standard Client Task Sequence
+ - Select OS: Windows 10 Enterprise x64 Custom Image
+ - Specify Product Key: Do not specify a product key at this time
+ - Full Name: Contoso
+ - Organization: Contoso
+ - Internet Explorer home page: http://www.contoso.com
+ - Admin Password: pass@word1
+
+### Configure the MDT production deployment share
+
+1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
+
+ ```
+ copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
+ copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
+ ```
+2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**.
+
+3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet):
+
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ _SMSTSORGNAME=Contoso
+ OSInstall=YES
+ UserDataLocation=AUTO
+ TimeZoneName=Pacific Standard Time
+ OSDComputername=#Left("PC-%SerialNumber%",7)#
+ AdminPassword=pass@word1
+ JoinDomain=contoso.com
+ DomainAdmin=administrator
+ DomainAdminDomain=CONTOSO
+ DomainAdminPassword=pass@word1
+ ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+ USMTMigFiles001=MigApp.xml
+ USMTMigFiles002=MigUser.xml
+ HideShell=YES
+ ApplyGPOPack=NO
+ SkipAppsOnUpgrade=NO
+ SkipAdminPassword=YES
+ SkipProductKey=YES
+ SkipComputerName=YES
+ SkipDomainMembership=YES
+ SkipUserData=YES
+ SkipLocaleSelection=YES
+ SkipTaskSequence=NO
+ SkipTimeZone=YES
+ SkipApplications=NO
+ SkipBitLocker=YES
+ SkipSummary=YES
+ SkipCapture=YES
+ SkipFinalSummary=NO
+ EventService=http://SRV1:9800
+ ```
+ **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini.
+
+ >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified.
+
+ If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui):
+
+ ```
+ ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+ ```
+
+ For example, to migrate **all** users on the computer, replace this line with the following:
+
+ ```
+ ScanStateArgs=/all
+ ```
+
+ For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx).
+
+4. Click **Edit Bootstap.ini** and replace text in the file with the following text:
+
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ DeployRoot=\\SRV1\MDTProd$
+ UserDomain=CONTOSO
+ UserID=MDT_BA
+ UserPassword=pass@word1
+ SkipBDDWelcome=YES
+ ```
+5. Click **OK** when finished.
+
+### Update the deployment share
+
+1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**.
+
+2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete.
+
+3. Click **Finish** when the update is complete.
+
+### Enable deployment monitoring
+
+1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**.
+
+2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
+
+3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/).
+
+4. Close Internet Explorer.
+
+### Configure Windows Deployment Services
+
+1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
+ WDSUTIL /Set-Server /AnswerClients:All
+ ```
+
+2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**.
+
+3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**.
+
+4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image.
+
+### Deploy the client image
+
+1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway.
+
+ >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress**
+
+ Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command:
+
+ ```
+ Disable-NetAdapter "Ethernet 2" -Confirm:$false
+ ```
+
+ >Wait until the disable-netadapter command completes before proceeding.
+
+
+2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt:
+
+ ```
+ New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
+ Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20
+ ```
+
+ >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle.
+
+3. Start the new VM and connect to it:
+
+ ```
+ Start-VM PC2
+ vmconnect localhost PC2
+ ```
+4. When prompted, hit ENTER to start the network boot process.
+
+5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
+
+6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command:
+
+ ```
+ Enable-NetAdapter "Ethernet 2"
+ ```
+7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed.
+8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator.
+
+ 
+
+
+This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section.
+
+## Refresh a computer with Windows 10
+
+This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md).
+
+1. If the PC1 VM is not already running, then start and connect to it:
+
+ ```
+ Start-VM PC1
+ vmconnect localhost PC1
+ ```
+
+2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Checkpoint-VM -Name PC1 -SnapshotName BeginState
+ ```
+
+3. Sign on to PC1 using the CONTOSO\Administrator account.
+
+ >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
+
+4. Open an elevated command prompt on PC1 and type the following:
+
+ ```
+ cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
+ ```
+
+ **Note**: For more information on tools for viewing log files and to assist with troubleshooting, see [Configuration Manager Tools](https://docs.microsoft.com/configmgr/core/support/tools).
+
+5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
+
+6. Choose **Do not back up the existing computer** and click **Next**.
+
+ **Note**: The USMT will still back up the computer.
+
+7. Lite Touch Installation will perform the following actions:
+ - Back up user settings and data using USMT.
+ - Install the Windows 10 Enterprise X64 operating system.
+ - Update the operating system via Windows Update.
+ - Restore user settings and data using USMT.
+
+ You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings.
+
+8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
+
+9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Checkpoint-VM -Name PC1 -SnapshotName RefreshState
+ ```
+
+10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
+ Start-VM PC1
+ vmconnect localhost PC1
+ ```
+
+11. Sign in to PC1 using the contoso\administrator account.
+
+## Replace a computer with Windows 10
+
+At a high level, the computer replace process consists of:
+- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.
+- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored.
+
+### Create a backup-only task sequence
+
+1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**.
+2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share.
+3. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ New-Item -Path C:\MigData -ItemType directory
+ New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE
+ icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)'
+ ```
+4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**.
+5. Name the new folder **Other**, and complete the wizard using default options.
+6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard:
+ - **Task sequence ID**: REPLACE-001
+ - **Task sequence name**: Backup Only Task Sequence
+ - **Task sequence comments**: Run USMT to back up user data and settings
+ - **Template**: Standard Client Replace Task Sequence (note: this is not the default template)
+7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings.
+8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence.
+
+### Run the backup-only task sequence
+
+1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt:
+
+ ```
+ whoami
+ ```
+2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1:
+
+ ```
+ Remove-Item c:\minint -recurse
+ Remove-Item c:\_SMSTaskSequence -recurse
+ Restart-Computer
+ ```
+3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt:
+
+ ```
+ cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
+ ```
+4. Complete the deployment wizard using the following:
+ - **Task Sequence**: Backup Only Task Sequence
+ - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1**
+ - **Computer Backup**: Do not back up the existing computer.
+5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.
+6. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete.
+7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
+
+ ```
+ PS C:\> dir C:\MigData\PC1\USMT
+
+ Directory: C:\MigData\PC1\USMT
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG
+ ```
+ ### Deploy PC3
+
+8. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt:
+
+ ```
+ New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
+ Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
+ ```
+9. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ Disable-NetAdapter "Ethernet 2" -Confirm:$false
+ ```
+
+ >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding.
+
+
+10. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Start-VM PC3
+ vmconnect localhost PC3
+ ```
+
+11. When prompted, press ENTER for network boot.
+
+12. On PC3, use the following settings for the Windows Deployment Wizard:
+ - **Task Sequence**: Windows 10 Enterprise x64 Custom Image
+ - **Move Data and Settings**: Do not move user data and settings
+ - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1**
+
+13. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1:
+
+ ```
+ Enable-NetAdapter "Ethernet 2"
+ ```
+14. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1.
+
+15. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**.
+
+16. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure.
+
+17. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure.
+
+## Troubleshooting logs, events, and utilities
+
+Deployment logs are available on the client computer in the following locations:
+- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS
+- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS
+- After deployment: %WINDIR%\TEMP\DeploymentLogs
+
+You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**.
+
+Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012)
+
+Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information.
+
+## Related Topics
+
+[Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741)
+[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
+
+
+
+
+
+
+
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 929b097d58..fc6a392e8f 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -1,1081 +1,1083 @@
----
-title: Step by step - Deploy Windows 10 using System Center Configuration Manager
-description: Deploy Windows 10 in a test lab using System Center Configuration Manager
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-keywords: deployment, automate, tools, configure, sccm
-ms.localizationpriority: medium
-ms.date: 10/11/2017
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10 in a test lab using System Center Configuration Manager
-
-**Applies to**
-
-- Windows 10
-
-**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides:
-- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md)
-- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-
-Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide.
-
-The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
-- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
-- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
-- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes.
-This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
-
->Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**.
-
-## In this guide
-
-This guide provides end-to-end instructions to install and configure System Center Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete.
-
-Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
-
-
-
-
Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.
Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT
90 minutes
-
-
-
-
-
-## Install prerequisites
-1. Before installing System Center Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ
- ```
-
- >If the request to add features fails, retry the installation by typing the command again.
-
-2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
-3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso
- ```
-
- This command mounts the .ISO file to drive D on SRV1.
-
-4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
-
- ```
- D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms
- ```
- Installation will take several minutes. When installation is complete, the following output will be displayed:
-
- ```
- Microsoft (R) SQL Server 2014 12.00.5000.00
- Copyright (c) Microsoft Corporation. All rights reserved.
-
- Microsoft (R) .NET Framework CasPol 2.0.50727.7905
- Copyright (c) Microsoft Corporation. All rights reserved.
-
- Success
- Microsoft (R) .NET Framework CasPol 2.0.50727.7905
- Copyright (c) Microsoft Corporation. All rights reserved.
-
- Success
- One or more affected files have operations pending.
- You should restart your computer to complete this process.
- PS C:\>
- ```
-5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow
- New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow
- New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow
- New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow
- New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow
- ```
-
-7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
-
-## Install System Center Configuration Manager
-
-1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
-
- ```
- $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
- Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
- Stop-Process -Name Explorer
- ```
-
-2. Download [System Center Configuration Manager and Endpoint Protection](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
-
-3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
-
- ```
- Get-Service Winmgmt
-
- Status Name DisplayName
- ------ ---- -----------
- Running Winmgmt Windows Management Instrumentation
-
- Test-NetConnection -ComputerName 192.168.0.2 -Port 135 -InformationLevel Detailed
-
- ComputerName : 192.168.0.2
- RemoteAddress : 192.168.0.2
- RemotePort : 135
- AllNameResolutionResults :
- MatchingIPsecRules :
- NetworkIsolationContext : Internet
- InterfaceAlias : Ethernet
- SourceAddress : 192.168.0.2
- NetRoute (NextHop) : 0.0.0.0
- PingSucceeded : True
- PingReplyDetails (RTT) : 0 ms
- TcpTestSucceeded : True
- ```
- You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**.
-
- If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
-
-4. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt:
-
- ```
- cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
- ```
-
-5. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1:
-
- ```
- adsiedit.msc
- ```
-
-6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**.
-7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**.
-8. Click **container** and then click **Next**.
-9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**.
-10. Right-click **CN=system Management** and then click **Properties**.
-11. On the **Security** tab, click **Add**, click **Object Types**, select **Computers**, and click **OK**.
-12. Under **Enter the object names to select**, type **SRV1** and click **OK**.
-13. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
-14. Click **Advanced**, click **SRV1 (CONTOSO\SRV1$)** and click **Edit**.
-15. Next to **Applies to**, choose **This object and all descendant objects**, and then click **OK** three times.
-16. Close the ADSI Edit console and switch back to SRV1.
-17. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
- ```
-18. Provide the following in the System Center Configuration Manager Setup Wizard:
- - **Before You Begin**: Read the text and click *Next*.
- - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox.
- - Click **Yes** in response to the popup window.
- - **Product Key**: Choose **Install the evaluation edition of this Product**.
- - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox.
- - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page.
- - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**.
- - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**.
- - use default settings for all other options
- - **Usage Data**: Read the text and click **Next**.
- - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use).
- - **Settings Summary**: Review settings and click **Next**.
- - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**.
-
- >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment.
-
- Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete.
-
-19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
-
- ```
- Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
- Stop-Process -Name Explorer
- ```
-
-## Download MDOP and install DaRT
-
->[!IMPORTANT]
->This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
->If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/).
-
-1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
-
-2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
-
- ```
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso
- ```
-3. Type the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi"
- ```
-4. Install DaRT 10 using default settings.
-5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64"
- Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86"
- ```
-
-## Prepare for Zero Touch installation
-
-This section contains several procedures to support Zero Touch installation with System Center Configuration Manager.
-
-### Create a folder structure
-
-1. Type the following commands at a Windows PowerShell prompt on SRV1:
-
- ```
- New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot"
- New-Item -ItemType Directory -Path "C:\Sources\OSD\OS"
- New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings"
- New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding"
- New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT"
- New-Item -ItemType Directory -Path "C:\Logs"
- New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE
- New-SmbShare -Name Logs$ -Path C:\Logs -ChangeAccess EVERYONE
- ```
-
-### Enable MDT ConfigMgr integration
-
-1. On SRV1, click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**.
-2. Type **PS1** next to **Site code**, and then click **Next**.
-3. Verify **The process completed successfully** is displayed, and then click **Finish**.
-
-### Configure client settings
-
-1. On SRV1, click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**.
-2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar.
-3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab.
-4. In the console tree, open the **Administration** workspace (in the lower left corner) and click **Client Settings**.
-5. In the display pane, double-click **Default Client Settings**.
-6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**.
-
-### Configure the network access account
-
-1. In the Administration workspace, expand **Site Configuration** and click **Sites**.
-2. On the **Home** ribbon at the top of the console window, click **Configure Site Components** and then click **Software Distribution**.
-3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
-4. Click the yellow starburst and then click **New Account**.
-5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**.
-6. Next to **Password** and **Confirm Password**, type pass@word1, and then click **OK** twice.
-
-### Configure a boundary group
-
-1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then click **Create Boundary**.
-2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then click **Browse**.
-3. Choose **Default-First-Site-Name** and then click **OK** twice.
-4. In the Administration workspace, right-click **Boundary Groups** and then click **Create Boundary Group**.
-5. Next to **Name**, type **PS1 Site Assignment and Content Location**, click **Add**, select the **Default-First-Site-Name** boundary and then click **OK**.
-6. On the **References** tab in the **Create Boundary Group** window select the **Use this boundary group for site assignment** checkbox.
-7. Click **Add**, select the **\\\SRV1.contoso.com** checkbox, and then click **OK** twice.
-
-### Add the state migration point role
-
-1. In the Administration workspace, expand **Site Configuration**, click **Sites**, and then in on the **Home** ribbon at the top of the console click **Add Site System Roles**.
-2. In the Add site System Roles Wizard, click **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox.
-3. Click **Next**, click the yellow starburst, type **C:\MigData** for the **Storage folder**, and click **OK**.
-4. Click **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed.
-5. Click **Next** twice and then click **Close**.
-
-### Enable PXE on the distribution point
-
->[!IMPORTANT]
->Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1:
-
-```
-WDSUTIL /Set-Server /AnswerClients:None
-```
-
-1. Determine the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- (Get-NetAdapter "Ethernet").MacAddress
- ```
- >If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
-
-2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**.
-3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**.
-4. On the PXE tab, select the following settings:
- - **Enable PXE support for clients**. Click **Yes** in the popup that appears.
- - **Allow this distribution point to respond to incoming PXE requests**
- - **Enable unknown computer support**. Click **OK** in the popup that appears.
- - **Require a password when computers use PXE**
- - **Password** and **Confirm password**: pass@word1
- - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure.
-
- See the following example:
-
-
-
-5. Click **OK**.
-6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
-
- ```
- cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
-
- abortpxe.com
- bootmgfw.efi
- bootmgr.exe
- pxeboot.com
- pxeboot.n12
- wdsmgfw.efi
- wdsnbp.com
- ```
- >If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
- >You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
-
- ```
- Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
- ```
-
- The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
-
- Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
-
- Once the files are present in the REMINST share location, you can close the cmtrace tool.
-
-### Create a branding image file
-
-1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image.
-2. Type the following command at an elevated Windows PowerShell prompt:
-
- ```
- copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp"
- ```
- >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
-
-
-### Create a boot image for Configuration Manager
-
-1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
-2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
- - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later.
-3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**.
-4. On the Options page, under **Platform** choose **x64**, and click **Next**.
-5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**.
-6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image.
-7. Click **Finish**.
-8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**.
-9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**.
-10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
- ```
-
- In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
-
- ```
- STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
- ```
-
-11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
-12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
-13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
-14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
-
- ```
- cmd /c dir /s /b C:\RemoteInstall\SMSImages
-
- C:\RemoteInstall\SMSImages\PS100004
- C:\RemoteInstall\SMSImages\PS100005
- C:\RemoteInstall\SMSImages\PS100006
- C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim
- C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim
- C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim
- ```
-
- >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT.
-
-### Create a Windows 10 reference image
-
-If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section.
-
-1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
-
- ```
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
- ```
-2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
-
-3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
-
-4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
-
-5. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTBuildLab**
- - Share name: **MDTBuildLab$**
- - Deployment share description: **MDT build lab**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
- - Progress: settings will be applied
- - Confirmation: click **Finish**
-
-6. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
-
-7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**.
-
-7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
-
-8. Use the following settings for the Import Operating System Wizard:
- - OS Type: **Full set of source files**
- - Source: **D:\\**
- - Destination: **W10Ent_x64**
- - Summary: click **Next**
- - Confirmation: click **Finish**
-
-9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
-
-10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- - Task sequence ID: **REFW10X64-001**
- - Task sequence name: **Windows 10 Enterprise x64 Default Image**
- - Task sequence comments: **Reference Build**
- - Template: **Standard Client Task Sequence**
- - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
- - Specify Product Key: **Do not specify a product key at this time**
- - Full Name: **Contoso**
- - Organization: **Contoso**
- - Internet Explorer home page: **http://www.contoso.com**
- - Admin Password: **Do not specify an Administrator password at this time**
- - Summary: click **Next**
- - Confirmation: click **Finish**
-
-11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
-
-12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo.
-
-13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again.
-
-14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**.
-
-15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**.
-
-16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
- >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
-
-17. Click **OK** to complete editing the task sequence.
-
-18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab.
-
-19. Replace the default rules with the following text:
-
- ```
- [Settings]
- Priority=Default
-
- [Default]
- _SMSTSORGNAME=Contoso
- UserDataLocation=NONE
- DoCapture=YES
- OSInstall=Y
- AdminPassword=pass@word1
- TimeZoneName=Pacific Standard TimeZoneName
- OSDComputername=#Left("PC-%SerialNumber%",7)#
- JoinWorkgroup=WORKGROUP
- HideShell=YES
- FinishAction=SHUTDOWN
- DoNotCreateExtraPartition=YES
- ApplyGPOPack=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=YES
- SkipDomainMembership=YES
- SkipUserData=YES
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=YES
- SkipBitLocker=YES
- SkipSummary=YES
- SkipRoles=YES
- SkipCapture=NO
- SkipFinalSummary=NO
- ```
-
-20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
-
- ```
- [Settings]
- Priority=Default
-
- [Default]
- DeployRoot=\\SRV1\MDTBuildLab$
- UserDomain=CONTOSO
- UserID=MDT_BA
- UserPassword=pass@word1
- SkipBDDWelcome=YES
- ```
-
-21. Click **OK** to complete the configuration of the deployment share.
-
-22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**.
-
-23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**.
-
-24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
-
- >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
-
-25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
-
- ```
- New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
- Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
- Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
- Start-VM REFW10X64-001
- vmconnect localhost REFW10X64-001
- ```
-26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
-
-27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
-
- Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
-
- - Install the Windows 10 Enterprise operating system.
- - Install added applications, roles, and features.
- - Update the operating system using Windows Update (or WSUS if optionally specified).
- - Stage Windows PE on the local disk.
- - Run System Preparation (Sysprep) and reboot into Windows PE.
- - Capture the installation to a Windows Imaging (WIM) file.
- - Turn off the virtual machine.
-
- This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**.
-
-### Add a Windows 10 operating system image
-
-1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
- cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
- ```
-
-2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**.
-
-3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**.
-
-4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**.
-
-5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**.
-
-6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**.
-
-7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes.
-
- >If content distribution is not successful, verify that sufficient disk space is available.
-
-### Create a task sequence
-
->Complete this section slowly. There are a large number of similar settings from which to choose.
-
-1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**.
-
-2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**.
-
-3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**.
-
-4. On the Details page, enter the following settings:
- - Join a domain: **contoso.com**
- - Account: click **Set**
- - User name: **contoso\CM_JD**
- - Password: pass@word1
- - Confirm password: pass@word1
- - Click **OK**
- - Windows Settings
- - User name: **Contoso**
- - Organization name: **Contoso**
- - Product key: \
- - Administrator Account: **Enable the account and specify the local administrator password**
- - Password: pass@word1
- - Confirm password: pass@word1
- - Click **Next**
-
-5. On the Capture Settings page, accept the default settings and click **Next**.
-
-6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**.
-
-7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then click **Next**.
-
-8. On the MDT Details page, next to **Name:** type **MDT** and then click **Next**.
-
-9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, click **OK**, and then click **Next**.
-
-10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**.
-
-11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, click **OK**, and then click **Next**.
-
-12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, click **OK**, and then click **Next**.
-
-13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**.
-
-14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and click **Next**.
-
-15. On the Sysprep Package page, click **Next** twice.
-
-16. On the Confirmation page, click **Finish**.
-
-### Edit the task sequence
-
-1. In the Configuration Manager console, in the **Software Library** workspace, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Edit**.
-
-2. Scroll down to the **Install** group and click the **Set Variable for Drive Letter** action.
-
-3. Change the Value under **OSDPreserveDriveLetter** from **False** to **True**, and then click **Apply**.
-
-4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**.
-
-5. Configure the **Request State Store** action that was just added with the following settings:
- - Request state storage location to: **Restore state from another computer**
- - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
- - Options tab: Select the **Continue on error** checkbox.
- - Add Condition: **Task Sequence Variable**:
- - Variable: **USMTLOCAL**
- - Condition: **not equals**
- - Value: **True**
- - Click **OK**.
- - Click **Apply** .
-
-6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**.
-
-7. Configure the **Release State Store** action that was just added with the following settings:
- - Options tab: Select the **Continue on error** checkbox.
- - Add Condition: **Task Sequence Variable**:
- - Variable: **USMTLOCAL**
- - Condition: **not equals**
- - Value: **True**
- - Click **OK**.
- - Click **OK** .
-
-
-### Finalize the operating system configuration
-
->If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini.
-
-1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**.
-
-2. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTProduction**
- - Share name: **MDTProduction$**
- - Deployment share description: **MDT Production**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
- - Progress: settings will be applied
- - Confirmation: click **Finish**
-
-3. Right-click the **MDT Production** deployment share, and click **Properties**.
-
-4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
-
-5. Type the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini"
- ```
-6. Replace the contents of the file with the following text, and then save the file:
-
- ```
- [Settings]
- Priority=Default
- Properties=OSDMigrateConfigFiles,OSDMigrateMode
-
- [Default]
- DoCapture=NO
- ComputerBackupLocation=NONE
- OSDMigrateMode=Advanced
- OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\*
- OSDMigrateConfigFiles=Miguser.xml,Migapp.xml
- SLSHARE=\\SRV1\Logs$
- EventService=http://SRV1:9800
- ApplyGPOPack=NO
- ```
-
- >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts:
-
- ```
- OSDMigrateAdditionalCaptureOptions=/all
- ```
-
-
-7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears.
-
-8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**.
-
-9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**.
-
-10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**.
-
-### Create a deployment for the task sequence
-
-1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**.
-
-2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**.
-
-3. On the Deployment Settings page, use the following settings:
- - Purpose: **Available**
- - Make available to the following: **Only media and PXE**
- - Click **Next**.
-4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages.
-
-5. Click **Close**.
-
-## Deploy Windows 10 using PXE and Configuration Manager
-
-In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings.
-
-1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```
- New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
- Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
- Start-VM PC4
- vmconnect localhost PC4
- ```
-
-2. Press ENTER when prompted to start the network boot service.
-
-3. In the Task Sequence Wizard, provide the password: pass@word1, and then click **Next**.
-
-4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open.
-
-5. At the command prompt, type **explorer.exe** and review the Windows PE file structure.
-
-6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations:
- - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted.
- - x:\smstslog\smsts.log after disks are formatted.
- - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the System Center Configuration Manager client is installed.
- - c:\windows\ccm\logs\Smstslog\smsts.log after the System Center Configuration Manager client is installed.
- - c:\windows\ccm\logs\smsts.log when the task sequence is complete.
-
- Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open.
-
-7. In the explorer window, click **Tools** and then click **Map Network Drive**.
-
-8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1.
-
-9. Close the Map Network Drive window, the Explorer window, and the command prompt.
-
-10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment.
-
-11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will:
- - Install Windows 10
- - Install the Configuration Manager client and hotfix
- - Join the computer to the contoso.com domain
- - Install any applications that were specified in the reference image
-
-
-12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account.
-
-13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image.
-
-14. Shut down the PC4 VM.
-
->Note: The following two procedures 1) Replace a client with Windows 10 and 2) Refresh a client with Windows 10 have been exchanged in their order in this guide compared to the previous version. This is to avoid having to restore Hyper-V checkpoints to have access to PC1 before the OS is upgraded. If this is your first time going through this guide, you won't notice any change, but if you have tried the guide previously then this change should make it simpler to complete.
-
-## Replace a client with Windows 10 using Configuration Manager
-
->Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter.
-
-
-
-In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer.
-
-### Create a replace task sequence
-
-1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**.
-
-2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**.
-
-3. On the General page, type the following:
- - Task sequence name: **Replace Task Sequence**
- - Task sequence comments: **USMT backup only**
-
-4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue.
-5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue.
-6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue.
-7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue.
-8. On the Summary page, review the details and then click **Next**.
-9. On the Confirmation page, click **Finish**.
-
->If an error is displayed at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration.
-
-### Deploy PC4
-
-Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
-
-```
-New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
-Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 2048MB -Buffer 20
-Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
-```
-
->Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer.
-
-### Install the Configuration Manager client on PC1
-
-1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
-
-2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```
- Checkpoint-VM -Name PC1 -SnapshotName BeginState
- ```
-
-3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and click on **Discovery Methods**.
-4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
-5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times.
-6. When a popup dialog box asks if you want to run full discovery, click **Yes**.
-7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
-
- 
-
- >If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console.
-
- The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next.
-
-8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt:
-
- ```
- sc stop ccmsetup
- "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall
- ```
- >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the SCCM client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/).
-
-9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue:
-
- ```
- net stop wuauserv
- net stop BITS
- ```
-
- Verify that both services were stopped successfully, then type the following at an elevated command prompt:
-
- ```
- del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
- net start BITS
- bitsadmin /list /allusers
- ```
-
- Verify that BITSAdmin displays 0 jobs.
-
-10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt:
-
- ```
- "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1
- ```
-11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
-12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress:
-
- ```
- Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait
- ```
-
- Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation (if you are viewing the log in Windows PowerShell the last line will be wrapped). A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site.
-
-13. On PC1, open the Configuration Manager control panel applet by typing the following command:
-
- ```
- control smscfgrc
- ```
-
-14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example:
-
- 
-
- If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated.
-
-15. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**.
-
-16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
-
- 
-
- >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**.
-
-### Create a device collection and deployment
-
-1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**.
-
-2. Use the following settings in the **Create Device Collection Wizard**:
- - General > Name: **Install Windows 10 Enterprise x64**
- - General > Limiting collection: **All Systems**
- - Membership Rules > Add Rule: **Direct Rule**
- - The **Create Direct Membership Rule Wizard** opens, click **Next**
- - Search for Resources > Resource class: **System Resource**
- - Search for Resources > Attribute name: **Name**
- - Search for Resources > Value: **%**
- - Select Resources > Value: Select the computername associated with the PC1 VM
- - Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close)
-
-3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed.
-
-4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**.
-
-5. Use the following settings in the Deploy Software wizard:
- - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
- - Deployment Settings > Purpose: **Available**
- - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
- - Scheduling > Click **Next**
- - User Experience > Click **Next**
- - Alerts > Click **Next**
- - Distribution Points > Click **Next**
- - Summary > Click **Next**
- - Verify that the wizard completed successfully and then click **Close**
-
-
-### Associate PC4 with PC1
-
-1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**.
-
-2. On the Select Source page, choose **Import single computer** and click **Next**.
-
-3. On the Single Computer page, use the following settings:
- - Computer Name: **PC4**
- - MAC Address: **00:15:5D:83:26:FF**
- - Source Computer: \
-
-4. Click **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then click the yellow starburst next to **User accounts to migrate**.
-
-5. Click **Browse** and then under Enter the object name to select type **user1** and click OK twice.
-
-6. Click the yellow starburst again and repeat the previous step to add the **contoso\administrator** account.
-
-7. Click **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, click **Browse**, choose **Install Windows 10 Enterprise x64**, click **OK**, click **Next** twice, and then click **Close**.
-
-8. In the Assets and Compliance workspace, click **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**.
-
-9. Right-click the association in the display pane and then click **Specify User Accounts**. You can add or remove user account here. Click **OK**.
-
-10. Right-click the association in the display pane and then click **View Recovery Information**. Note that a recovery key has been assigned, but a user state store location has not. Click **Close**.
-
-11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example:
-
- 
-
-### Create a device collection for PC1
-
-1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**.
-
-2. Use the following settings in the **Create Device Collection Wizard**:
- - General > Name: **USMT Backup (Replace)**
- - General > Limiting collection: **All Systems**
- - Membership Rules > Add Rule: **Direct Rule**
- - The **Create Direct Membership Rule Wizard** opens, click **Next**
- - Search for Resources > Resource class: **System Resource**
- - Search for Resources > Attribute name: **Name**
- - Search for Resources > Value: **%**
- - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
- - Click **Next** twice and then click **Close** in both windows.
-
-3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed.
-
-### Create a new deployment
-
-In the Configuration Manager console, in the Software Library workspace under Operating Systems, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings:
-- General > Collection: **USMT Backup (Replace)**
-- Deployment Settings > Purpose: **Available**
-- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
-- Scheduling: Click **Next**
-- User Experience: Click **Next**
-- Alerts: Click **Next**
-- Distribution Points: Click **Next**
-- Click **Next** and then click **Close**.
-
-### Verify the backup
-
-1. On PC1, open the Configuration Manager control panel applet by typing the following command:
-
- ```
- control smscfgrc
- ```
-2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is one method that can be used to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure.
-
-3. Type the following at an elevated command prompt to open the Software Center:
-
- ```
- C:\Windows\CCM\SCClient.exe
- ```
-
-4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example:
-
- 
-
- >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available.
-
-5. Click **INSTALL SELECTED** and then click **INSTALL OPERATING SYSTEM**.
-6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup.
-
-### Deploy the new computer
-
-1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host:
-
- ```
- Start-VM PC4
- vmconnect localhost PC4
- ```
-2. In the **Welcome to the Task Sequence Wizard**, enter pass@word1 and click **Next**.
-3. Choose the **Windows 10 Enterprise X64** image.
-4. Setup will install the operating system using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1.
-5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required (checkpoints do take up space on the Hyper-V host). Note: the next procedure will install a new OS on PC1 update its status in Configuration Manager and in Active Directory as a Windows 10 device, so you cannot return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this for all VMs.
-
- To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```
- Checkpoint-VM -Name DC1 -SnapshotName cm-refresh
- Checkpoint-VM -Name SRV1 -SnapshotName cm-refresh
- Checkpoint-VM -Name PC1 -SnapshotName cm-refresh
- ```
-
-## Refresh a client with Windows 10 using Configuration Manager
-
-
-### Initiate the computer refresh
-
-1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**.
-2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box.
-3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**.
-4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example:
-
- 
-
- The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example:
-
- 
-
- You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**.
-
- When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system.
-
- 
-
-
-
-## Related Topics
-
-[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides)
-
-
-
-
-
-
-
+---
+title: Step by step - Deploy Windows 10 using Microsoft Endpoint Configuration Manager
+description: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, sccm
+ms.localizationpriority: medium
+ms.date: 10/11/2017
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides:
+- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md)
+- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
+
+Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide.
+
+The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
+- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
+- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
+- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes.
+This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
+
+>Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**.
+
+## In this guide
+
+This guide provides end-to-end instructions to install and configure Microsoft Endpoint Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete.
+
+Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
+
+
+
+
Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.
Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT
90 minutes
+
+
+
+
+
+## Install prerequisites
+1. Before installing Microsoft Endpoint Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ
+ ```
+
+ >If the request to add features fails, retry the installation by typing the command again.
+
+2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
+3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso
+ ```
+
+ This command mounts the .ISO file to drive D on SRV1.
+
+4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
+
+ ```
+ D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms
+ ```
+ Installation will take several minutes. When installation is complete, the following output will be displayed:
+
+ ```
+ Microsoft (R) SQL Server 2014 12.00.5000.00
+ Copyright (c) Microsoft Corporation. All rights reserved.
+
+ Microsoft (R) .NET Framework CasPol 2.0.50727.7905
+ Copyright (c) Microsoft Corporation. All rights reserved.
+
+ Success
+ Microsoft (R) .NET Framework CasPol 2.0.50727.7905
+ Copyright (c) Microsoft Corporation. All rights reserved.
+
+ Success
+ One or more affected files have operations pending.
+ You should restart your computer to complete this process.
+ PS C:\>
+ ```
+5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow
+ New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow
+ New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow
+ New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow
+ New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow
+ ```
+
+7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
+
+## Install Microsoft Endpoint Configuration Manager
+
+1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
+
+ ```
+ $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
+ Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
+ Stop-Process -Name Explorer
+ ```
+
+2. Download [Microsoft Endpoint Configuration Manager and Endpoint Protection](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
+
+3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
+
+ ```
+ Get-Service Winmgmt
+
+ Status Name DisplayName
+ ------ ---- -----------
+ Running Winmgmt Windows Management Instrumentation
+
+ Test-NetConnection -ComputerName 192.168.0.2 -Port 135 -InformationLevel Detailed
+
+ ComputerName : 192.168.0.2
+ RemoteAddress : 192.168.0.2
+ RemotePort : 135
+ AllNameResolutionResults :
+ MatchingIPsecRules :
+ NetworkIsolationContext : Internet
+ InterfaceAlias : Ethernet
+ SourceAddress : 192.168.0.2
+ NetRoute (NextHop) : 0.0.0.0
+ PingSucceeded : True
+ PingReplyDetails (RTT) : 0 ms
+ TcpTestSucceeded : True
+ ```
+ You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**.
+
+ If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
+
+4. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt:
+
+ ```
+ cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
+ ```
+
+5. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1:
+
+ ```
+ adsiedit.msc
+ ```
+
+6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**.
+7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**.
+8. Click **container** and then click **Next**.
+9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**.
+10. Right-click **CN=system Management** and then click **Properties**.
+11. On the **Security** tab, click **Add**, click **Object Types**, select **Computers**, and click **OK**.
+12. Under **Enter the object names to select**, type **SRV1** and click **OK**.
+13. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
+14. Click **Advanced**, click **SRV1 (CONTOSO\SRV1$)** and click **Edit**.
+15. Next to **Applies to**, choose **This object and all descendant objects**, and then click **OK** three times.
+16. Close the ADSI Edit console and switch back to SRV1.
+17. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
+ ```
+18. Provide the following in the Microsoft Endpoint Configuration Manager Setup Wizard:
+ - **Before You Begin**: Read the text and click *Next*.
+ - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox.
+ - Click **Yes** in response to the popup window.
+ - **Product Key**: Choose **Install the evaluation edition of this Product**.
+ - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox.
+ - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page.
+ - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**.
+ - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**.
+ - use default settings for all other options
+ - **Usage Data**: Read the text and click **Next**.
+ - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use).
+ - **Settings Summary**: Review settings and click **Next**.
+ - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**.
+
+ >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment.
+
+ Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete.
+
+19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
+
+ ```
+ Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
+ Stop-Process -Name Explorer
+ ```
+
+## Download MDOP and install DaRT
+
+>[!IMPORTANT]
+>This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
+>If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/).
+
+1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
+
+2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
+
+ ```
+ Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso
+ ```
+3. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi"
+ ```
+4. Install DaRT 10 using default settings.
+5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64"
+ Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86"
+ ```
+
+## Prepare for Zero Touch installation
+
+This section contains several procedures to support Zero Touch installation with Microsoft Endpoint Configuration Manager.
+
+### Create a folder structure
+
+1. Type the following commands at a Windows PowerShell prompt on SRV1:
+
+ ```
+ New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot"
+ New-Item -ItemType Directory -Path "C:\Sources\OSD\OS"
+ New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings"
+ New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding"
+ New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT"
+ New-Item -ItemType Directory -Path "C:\Logs"
+ New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE
+ New-SmbShare -Name Logs$ -Path C:\Logs -ChangeAccess EVERYONE
+ ```
+
+### Enable MDT ConfigMgr integration
+
+1. On SRV1, click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**.
+2. Type **PS1** next to **Site code**, and then click **Next**.
+3. Verify **The process completed successfully** is displayed, and then click **Finish**.
+
+### Configure client settings
+
+1. On SRV1, click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**.
+2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar.
+3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab.
+4. In the console tree, open the **Administration** workspace (in the lower left corner) and click **Client Settings**.
+5. In the display pane, double-click **Default Client Settings**.
+6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**.
+
+### Configure the network access account
+
+1. In the Administration workspace, expand **Site Configuration** and click **Sites**.
+2. On the **Home** ribbon at the top of the console window, click **Configure Site Components** and then click **Software Distribution**.
+3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
+4. Click the yellow starburst and then click **New Account**.
+5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**.
+6. Next to **Password** and **Confirm Password**, type pass@word1, and then click **OK** twice.
+
+### Configure a boundary group
+
+1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then click **Create Boundary**.
+2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then click **Browse**.
+3. Choose **Default-First-Site-Name** and then click **OK** twice.
+4. In the Administration workspace, right-click **Boundary Groups** and then click **Create Boundary Group**.
+5. Next to **Name**, type **PS1 Site Assignment and Content Location**, click **Add**, select the **Default-First-Site-Name** boundary and then click **OK**.
+6. On the **References** tab in the **Create Boundary Group** window select the **Use this boundary group for site assignment** checkbox.
+7. Click **Add**, select the **\\\SRV1.contoso.com** checkbox, and then click **OK** twice.
+
+### Add the state migration point role
+
+1. In the Administration workspace, expand **Site Configuration**, click **Sites**, and then in on the **Home** ribbon at the top of the console click **Add Site System Roles**.
+2. In the Add site System Roles Wizard, click **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox.
+3. Click **Next**, click the yellow starburst, type **C:\MigData** for the **Storage folder**, and click **OK**.
+4. Click **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed.
+5. Click **Next** twice and then click **Close**.
+
+### Enable PXE on the distribution point
+
+>[!IMPORTANT]
+>Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+```
+WDSUTIL /Set-Server /AnswerClients:None
+```
+
+1. Determine the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ (Get-NetAdapter "Ethernet").MacAddress
+ ```
+ >If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
+
+2. In the Microsoft Endpoint Configuration Manager console, in the **Administration** workspace, click **Distribution Points**.
+3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**.
+4. On the PXE tab, select the following settings:
+ - **Enable PXE support for clients**. Click **Yes** in the popup that appears.
+ - **Allow this distribution point to respond to incoming PXE requests**
+ - **Enable unknown computer support**. Click **OK** in the popup that appears.
+ - **Require a password when computers use PXE**
+ - **Password** and **Confirm password**: pass@word1
+ - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure.
+
+ See the following example:
+
+
+
+5. Click **OK**.
+6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
+
+ ```
+ cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
+
+ abortpxe.com
+ bootmgfw.efi
+ bootmgr.exe
+ pxeboot.com
+ pxeboot.n12
+ wdsmgfw.efi
+ wdsnbp.com
+ ```
+ >If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
+ >You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
+
+ ```
+ Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
+ ```
+
+ The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
+
+ Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
+
+ Once the files are present in the REMINST share location, you can close the cmtrace tool.
+
+### Create a branding image file
+
+1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image.
+2. Type the following command at an elevated Windows PowerShell prompt:
+
+ ```
+ copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp"
+ ```
+ >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
+
+
+### Create a boot image for Configuration Manager
+
+1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
+2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
+ - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later.
+3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**.
+4. On the Options page, under **Platform** choose **x64**, and click **Next**.
+5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**.
+6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image.
+7. Click **Finish**.
+8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**.
+9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**.
+10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
+ ```
+
+ In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
+
+ ```
+ STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
+ ```
+
+11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
+12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
+13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
+14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
+
+ ```
+ cmd /c dir /s /b C:\RemoteInstall\SMSImages
+
+ C:\RemoteInstall\SMSImages\PS100004
+ C:\RemoteInstall\SMSImages\PS100005
+ C:\RemoteInstall\SMSImages\PS100006
+ C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim
+ C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim
+ C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim
+ ```
+
+ >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT.
+
+### Create a Windows 10 reference image
+
+If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section.
+
+1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
+
+ ```
+ Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
+ ```
+2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
+
+3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
+
+4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+
+5. Use the following settings for the New Deployment Share Wizard:
+ - Deployment share path: **C:\MDTBuildLab**
+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT build lab**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish**
+
+6. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
+
+7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**.
+
+7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
+
+8. Use the following settings for the Import Operating System Wizard:
+ - OS Type: **Full set of source files**
+ - Source: **D:\\**
+ - Destination: **W10Ent_x64**
+ - Summary: click **Next**
+ - Confirmation: click **Finish**
+
+9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
+
+10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+ - Task sequence ID: **REFW10X64-001**
+ - Task sequence name: **Windows 10 Enterprise x64 Default Image**
+ - Task sequence comments: **Reference Build**
+ - Template: **Standard Client Task Sequence**
+ - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
+ - Specify Product Key: **Do not specify a product key at this time**
+ - Full Name: **Contoso**
+ - Organization: **Contoso**
+ - Internet Explorer home page: **http://www.contoso.com**
+ - Admin Password: **Do not specify an Administrator password at this time**
+ - Summary: click **Next**
+ - Confirmation: click **Finish**
+
+11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
+
+12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo.
+
+13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again.
+
+14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**.
+
+15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**.
+
+16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
+ >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
+
+17. Click **OK** to complete editing the task sequence.
+
+18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab.
+
+19. Replace the default rules with the following text:
+
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ _SMSTSORGNAME=Contoso
+ UserDataLocation=NONE
+ DoCapture=YES
+ OSInstall=Y
+ AdminPassword=pass@word1
+ TimeZoneName=Pacific Standard TimeZoneName
+ OSDComputername=#Left("PC-%SerialNumber%",7)#
+ JoinWorkgroup=WORKGROUP
+ HideShell=YES
+ FinishAction=SHUTDOWN
+ DoNotCreateExtraPartition=YES
+ ApplyGPOPack=NO
+ SkipAdminPassword=YES
+ SkipProductKey=YES
+ SkipComputerName=YES
+ SkipDomainMembership=YES
+ SkipUserData=YES
+ SkipLocaleSelection=YES
+ SkipTaskSequence=NO
+ SkipTimeZone=YES
+ SkipApplications=YES
+ SkipBitLocker=YES
+ SkipSummary=YES
+ SkipRoles=YES
+ SkipCapture=NO
+ SkipFinalSummary=NO
+ ```
+
+20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
+
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ DeployRoot=\\SRV1\MDTBuildLab$
+ UserDomain=CONTOSO
+ UserID=MDT_BA
+ UserPassword=pass@word1
+ SkipBDDWelcome=YES
+ ```
+
+21. Click **OK** to complete the configuration of the deployment share.
+
+22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**.
+
+23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**.
+
+24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
+
+ >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
+
+25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
+
+ ```
+ New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
+ Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
+ Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
+ Start-VM REFW10X64-001
+ vmconnect localhost REFW10X64-001
+ ```
+26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
+
+27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
+
+ Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
+
+ - Install the Windows 10 Enterprise operating system.
+ - Install added applications, roles, and features.
+ - Update the operating system using Windows Update (or WSUS if optionally specified).
+ - Stage Windows PE on the local disk.
+ - Run System Preparation (Sysprep) and reboot into Windows PE.
+ - Capture the installation to a Windows Imaging (WIM) file.
+ - Turn off the virtual machine.
+
+ This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**.
+
+### Add a Windows 10 operating system image
+
+1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
+ cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
+ ```
+
+2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**.
+
+3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**.
+
+4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**.
+
+5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**.
+
+6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**.
+
+7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes.
+
+ >If content distribution is not successful, verify that sufficient disk space is available.
+
+### Create a task sequence
+
+>Complete this section slowly. There are a large number of similar settings from which to choose.
+
+1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**.
+
+2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**.
+
+3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**.
+
+4. On the Details page, enter the following settings:
+ - Join a domain: **contoso.com**
+ - Account: click **Set**
+ - User name: **contoso\CM_JD**
+ - Password: pass@word1
+ - Confirm password: pass@word1
+ - Click **OK**
+ - Windows Settings
+ - User name: **Contoso**
+ - Organization name: **Contoso**
+ - Product key: \
+ - Administrator Account: **Enable the account and specify the local administrator password**
+ - Password: pass@word1
+ - Confirm password: pass@word1
+ - Click **Next**
+
+5. On the Capture Settings page, accept the default settings and click **Next**.
+
+6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**.
+
+7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then click **Next**.
+
+8. On the MDT Details page, next to **Name:** type **MDT** and then click **Next**.
+
+9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, click **OK**, and then click **Next**.
+
+10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**.
+
+11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, click **OK**, and then click **Next**.
+
+12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, click **OK**, and then click **Next**.
+
+13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**.
+
+14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and click **Next**.
+
+15. On the Sysprep Package page, click **Next** twice.
+
+16. On the Confirmation page, click **Finish**.
+
+### Edit the task sequence
+
+1. In the Configuration Manager console, in the **Software Library** workspace, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Edit**.
+
+2. Scroll down to the **Install** group and click the **Set Variable for Drive Letter** action.
+
+3. Change the Value under **OSDPreserveDriveLetter** from **False** to **True**, and then click **Apply**.
+
+4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**.
+
+5. Configure the **Request State Store** action that was just added with the following settings:
+ - Request state storage location to: **Restore state from another computer**
+ - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
+ - Options tab: Select the **Continue on error** checkbox.
+ - Add Condition: **Task Sequence Variable**:
+ - Variable: **USMTLOCAL**
+ - Condition: **not equals**
+ - Value: **True**
+ - Click **OK**.
+ - Click **Apply** .
+
+6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**.
+
+7. Configure the **Release State Store** action that was just added with the following settings:
+ - Options tab: Select the **Continue on error** checkbox.
+ - Add Condition: **Task Sequence Variable**:
+ - Variable: **USMTLOCAL**
+ - Condition: **not equals**
+ - Value: **True**
+ - Click **OK**.
+ - Click **OK** .
+
+
+### Finalize the operating system configuration
+
+>If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini.
+
+1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**.
+
+2. Use the following settings for the New Deployment Share Wizard:
+ - Deployment share path: **C:\MDTProduction**
+ - Share name: **MDTProduction$**
+ - Deployment share description: **MDT Production**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish**
+
+3. Right-click the **MDT Production** deployment share, and click **Properties**.
+
+4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
+
+5. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```
+ notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini"
+ ```
+6. Replace the contents of the file with the following text, and then save the file:
+
+ ```
+ [Settings]
+ Priority=Default
+ Properties=OSDMigrateConfigFiles,OSDMigrateMode
+
+ [Default]
+ DoCapture=NO
+ ComputerBackupLocation=NONE
+ OSDMigrateMode=Advanced
+ OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\*
+ OSDMigrateConfigFiles=Miguser.xml,Migapp.xml
+ SLSHARE=\\SRV1\Logs$
+ EventService=http://SRV1:9800
+ ApplyGPOPack=NO
+ ```
+
+ >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts:
+
+ ```
+ OSDMigrateAdditionalCaptureOptions=/all
+ ```
+
+
+7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears.
+
+8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**.
+
+9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**.
+
+10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**.
+
+### Create a deployment for the task sequence
+
+1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**.
+
+2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**.
+
+3. On the Deployment Settings page, use the following settings:
+ - Purpose: **Available**
+ - Make available to the following: **Only media and PXE**
+ - Click **Next**.
+4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages.
+
+5. Click **Close**.
+
+## Deploy Windows 10 using PXE and Configuration Manager
+
+In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings.
+
+1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
+ Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
+ Start-VM PC4
+ vmconnect localhost PC4
+ ```
+
+2. Press ENTER when prompted to start the network boot service.
+
+3. In the Task Sequence Wizard, provide the password: pass@word1, and then click **Next**.
+
+4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open.
+
+5. At the command prompt, type **explorer.exe** and review the Windows PE file structure.
+
+6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations:
+ - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted.
+ - x:\smstslog\smsts.log after disks are formatted.
+ - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the Microsoft Endpoint Configuration Manager client is installed.
+ - c:\windows\ccm\logs\Smstslog\smsts.log after the Microsoft Endpoint Configuration Manager client is installed.
+ - c:\windows\ccm\logs\smsts.log when the task sequence is complete.
+
+ Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open.
+
+7. In the explorer window, click **Tools** and then click **Map Network Drive**.
+
+8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1.
+
+9. Close the Map Network Drive window, the Explorer window, and the command prompt.
+
+10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment.
+
+11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will:
+ - Install Windows 10
+ - Install the Configuration Manager client and hotfix
+ - Join the computer to the contoso.com domain
+ - Install any applications that were specified in the reference image
+
+
+12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account.
+
+13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image.
+
+14. Shut down the PC4 VM.
+
+>Note: The following two procedures 1) Replace a client with Windows 10 and 2) Refresh a client with Windows 10 have been exchanged in their order in this guide compared to the previous version. This is to avoid having to restore Hyper-V checkpoints to have access to PC1 before the OS is upgraded. If this is your first time going through this guide, you won't notice any change, but if you have tried the guide previously then this change should make it simpler to complete.
+
+## Replace a client with Windows 10 using Configuration Manager
+
+>Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter.
+
+
+
+In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer.
+
+### Create a replace task sequence
+
+1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**.
+
+2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**.
+
+3. On the General page, type the following:
+ - Task sequence name: **Replace Task Sequence**
+ - Task sequence comments: **USMT backup only**
+
+4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue.
+5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue.
+6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue.
+7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue.
+8. On the Summary page, review the details and then click **Next**.
+9. On the Confirmation page, click **Finish**.
+
+>If an error is displayed at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration.
+
+### Deploy PC4
+
+Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+```
+New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
+Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 2048MB -Buffer 20
+Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
+```
+
+>Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer.
+
+### Install the Configuration Manager client on PC1
+
+1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
+
+2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Checkpoint-VM -Name PC1 -SnapshotName BeginState
+ ```
+
+3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and click on **Discovery Methods**.
+4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
+5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times.
+6. When a popup dialog box asks if you want to run full discovery, click **Yes**.
+7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
+
+ 
+
+ >If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console.
+
+ The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next.
+
+8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt:
+
+ ```
+ sc stop ccmsetup
+ "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall
+ ```
+ >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the SCCM client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/).
+
+9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue:
+
+ ```
+ net stop wuauserv
+ net stop BITS
+ ```
+
+ Verify that both services were stopped successfully, then type the following at an elevated command prompt:
+
+ ```
+ del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
+ net start BITS
+ bitsadmin /list /allusers
+ ```
+
+ Verify that BITSAdmin displays 0 jobs.
+
+10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt:
+
+ ```
+ "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1
+ ```
+11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
+12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress:
+
+ ```
+ Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait
+ ```
+
+ Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation (if you are viewing the log in Windows PowerShell the last line will be wrapped). A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site.
+
+13. On PC1, open the Configuration Manager control panel applet by typing the following command:
+
+ ```
+ control smscfgrc
+ ```
+
+14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example:
+
+ 
+
+ If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated.
+
+15. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**.
+
+16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
+
+ 
+
+ >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**.
+
+### Create a device collection and deployment
+
+1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**.
+
+2. Use the following settings in the **Create Device Collection Wizard**:
+ - General > Name: **Install Windows 10 Enterprise x64**
+ - General > Limiting collection: **All Systems**
+ - Membership Rules > Add Rule: **Direct Rule**
+ - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - Search for Resources > Resource class: **System Resource**
+ - Search for Resources > Attribute name: **Name**
+ - Search for Resources > Value: **%**
+ - Select Resources > Value: Select the computername associated with the PC1 VM
+ - Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close)
+
+3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed.
+
+4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**.
+
+5. Use the following settings in the Deploy Software wizard:
+ - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
+ - Deployment Settings > Purpose: **Available**
+ - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
+ - Scheduling > Click **Next**
+ - User Experience > Click **Next**
+ - Alerts > Click **Next**
+ - Distribution Points > Click **Next**
+ - Summary > Click **Next**
+ - Verify that the wizard completed successfully and then click **Close**
+
+
+### Associate PC4 with PC1
+
+1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**.
+
+2. On the Select Source page, choose **Import single computer** and click **Next**.
+
+3. On the Single Computer page, use the following settings:
+ - Computer Name: **PC4**
+ - MAC Address: **00:15:5D:83:26:FF**
+ - Source Computer: \
+
+4. Click **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then click the yellow starburst next to **User accounts to migrate**.
+
+5. Click **Browse** and then under Enter the object name to select type **user1** and click OK twice.
+
+6. Click the yellow starburst again and repeat the previous step to add the **contoso\administrator** account.
+
+7. Click **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, click **Browse**, choose **Install Windows 10 Enterprise x64**, click **OK**, click **Next** twice, and then click **Close**.
+
+8. In the Assets and Compliance workspace, click **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**.
+
+9. Right-click the association in the display pane and then click **Specify User Accounts**. You can add or remove user account here. Click **OK**.
+
+10. Right-click the association in the display pane and then click **View Recovery Information**. Note that a recovery key has been assigned, but a user state store location has not. Click **Close**.
+
+11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example:
+
+ 
+
+### Create a device collection for PC1
+
+1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**.
+
+2. Use the following settings in the **Create Device Collection Wizard**:
+ - General > Name: **USMT Backup (Replace)**
+ - General > Limiting collection: **All Systems**
+ - Membership Rules > Add Rule: **Direct Rule**
+ - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - Search for Resources > Resource class: **System Resource**
+ - Search for Resources > Attribute name: **Name**
+ - Search for Resources > Value: **%**
+ - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
+ - Click **Next** twice and then click **Close** in both windows.
+
+3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed.
+
+### Create a new deployment
+
+In the Configuration Manager console, in the Software Library workspace under Operating Systems, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings:
+- General > Collection: **USMT Backup (Replace)**
+- Deployment Settings > Purpose: **Available**
+- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
+- Scheduling: Click **Next**
+- User Experience: Click **Next**
+- Alerts: Click **Next**
+- Distribution Points: Click **Next**
+- Click **Next** and then click **Close**.
+
+### Verify the backup
+
+1. On PC1, open the Configuration Manager control panel applet by typing the following command:
+
+ ```
+ control smscfgrc
+ ```
+2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is one method that can be used to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure.
+
+3. Type the following at an elevated command prompt to open the Software Center:
+
+ ```
+ C:\Windows\CCM\SCClient.exe
+ ```
+
+4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example:
+
+ 
+
+ >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available.
+
+5. Click **INSTALL SELECTED** and then click **INSTALL OPERATING SYSTEM**.
+6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup.
+
+### Deploy the new computer
+
+1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host:
+
+ ```
+ Start-VM PC4
+ vmconnect localhost PC4
+ ```
+2. In the **Welcome to the Task Sequence Wizard**, enter pass@word1 and click **Next**.
+3. Choose the **Windows 10 Enterprise X64** image.
+4. Setup will install the operating system using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1.
+5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required (checkpoints do take up space on the Hyper-V host). Note: the next procedure will install a new OS on PC1 update its status in Configuration Manager and in Active Directory as a Windows 10 device, so you cannot return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this for all VMs.
+
+ To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+
+ ```
+ Checkpoint-VM -Name DC1 -SnapshotName cm-refresh
+ Checkpoint-VM -Name SRV1 -SnapshotName cm-refresh
+ Checkpoint-VM -Name PC1 -SnapshotName cm-refresh
+ ```
+
+## Refresh a client with Windows 10 using Configuration Manager
+
+
+### Initiate the computer refresh
+
+1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**.
+2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box.
+3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**.
+4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example:
+
+ 
+
+ The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example:
+
+ 
+
+ You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**.
+
+ When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system.
+
+ 
+
+
+
+## Related Topics
+
+[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides)
+
+
+
+
+
+
+
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index fb9fdbecee..2b72ab624c 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -25,7 +25,7 @@ ms.topic: article
This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
-- [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance.
@@ -111,13 +111,13 @@ Hardware requirements are displayed below:
Any Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.
-
RAM
+
RAM
8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
- 16 GB RAM to test Windows 10 deployment with System Center Configuration Manager.
+ 16 GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.
Any
-
Disk
+
Disk
200 GB available hard disk space, any format.
Any size, MBR formatted.
@@ -779,7 +779,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
**Configure service and user accounts**
- Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
+ Windows 10 deployment with MDT and Microsoft Endpoint Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
>To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md
index 4d7af27528..e674b3196e 100644
--- a/windows/deployment/windows-autopilot/add-devices.md
+++ b/windows/deployment/windows-autopilot/add-devices.md
@@ -21,7 +21,7 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually.
@@ -41,7 +41,7 @@ Windows Autopilot does not require delegated administrator permissions when esta
## Automatic registration of existing devices
-If an existing device is already running Windows 10 version 1703 or later and enrolled in an MDM service such an Intune, that MDM service can ask the device for the hardware ID (also known as a hardware hash). Once it has that, it can automatically register the device with Windows Autopilot.
+If an existing device is already running a supported version of Windows 10 semi-annual channel and enrolled in an MDM service such an Intune, that MDM service can ask the device for the hardware ID (also known as a hardware hash). Once it has that, it can automatically register the device with Windows Autopilot.
For instructions on how to do this with Microsoft Intune, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile) documentation describing the "Convert all targeted devices to Autopilot" setting.
@@ -53,22 +53,22 @@ To perform manual registration of a device, you must first capture its hardware
## Device identification
-To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation.
+To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 installation.
The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device.
Note that the hardware hash also contains details about when it was generated, so it will change each time it is generated. When the Windows Autopilot deployment service attempts to match a device, it considers changes like that, as well as more substantial changes such as a new hard drive, and is still able to match successfully. But substantial changes to the hardware, such as a motherboard replacement, would not match, so a new hash would need to be generated and uploaded.
-### Collecting the hardware ID from existing devices using System Center Configuration Manager
+### Collecting the hardware ID from existing devices using Microsoft Endpoint Configuration Manager
-Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file.
+Microsoft Endpoint Configuration Manager automatically collects the hardware hashes for existing Windows 10 devices. For more information, see [Gather information from Configuration Manager for Windows Autopilot](https://docs.microsoft.com/configmgr/comanage/how-to-prepare-win10#windows-autopilot). You can extract the hash information from Configuration Manager into a CSV file.
> [!Note]
> Before uploading the CSV file on Intune, please make sure that the first row contains the device serial number, Windows product ID, hardware hash, group tag, and assigned user. If there is header information on the top of CSV file, please delete that header information. See details at [Enroll Windows devices in Intune](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot).
### Collecting the hardware ID from existing devices using PowerShell
-The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo).
+The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running a supported version of Windows 10 semi-annual channel. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo).
To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt:
@@ -103,7 +103,7 @@ Once the hardware IDs have been captured from existing devices, they can be uplo
- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business.
- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). You might already be using MSfB to manage your apps and settings.
-A summary of each platform's capabilities is provided below.
+A summary of each platform's capabilities is provided below.
@@ -123,34 +123,43 @@ A summary of each platform's capabilities is provided below.
->*Microsoft recommended platform to use
+>1Microsoft recommended platform to use
+>2Intune license required
+>3Feature capabilities are limited
+>4To be retired
+
+Also see the following topics for more information about device IDs:
+- [Device identification](#device-identification)
+- [Windows Autopilot device guidelines](https://docs.microsoft.com/windows/deployment/windows-autopilot/autopilot-device-guidelines)
+- [Add devices to a customer account](https://docs.microsoft.com/partner-center/autopilot)
+
## Summary
@@ -162,4 +171,4 @@ When deploying new devices using Windows Autopilot, the following steps are requ
## Other configuration settings
-- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started.
+- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started.
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md
index 63f327622a..43ac6da548 100644
--- a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md
+++ b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md
@@ -36,7 +36,8 @@ The following additional best practices ensure that devices can easily be provis
## Software best practice guidelines for Windows Autopilot
-- The Windows Autopilot device should be preinstalled with only a Windows 10 base image plus drivers and Office 365 Pro Plus Retail (C2R).
+- The Windows Autopilot device should be preinstalled with only a Windows 10 base image plus drivers.
+- You can preinstall your licensed version of Office, such as [Office 365 ProPlus](https://docs.microsoft.com/deployoffice/about-office-365-proplus-in-the-enterprise).
- Unless explicitly requested by the customer, no other preinstalled software should be included.
- Per OEM Policy, Windows 10 features, including built-in apps, should not be disabled or removed.
diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md
index e2ac992f75..616f6b21ce 100644
--- a/windows/deployment/windows-autopilot/autopilot-faq.md
+++ b/windows/deployment/windows-autopilot/autopilot-faq.md
@@ -45,10 +45,10 @@ A [glossary](#glossary) of abbreviations used in this article is provided at the
| Question | Answer |
| --- | --- |
| What changes need to be made in the factory OS image for customer configuration settings? |No changes are required on the factory floor to enable Windows Autopilot deployment. |
-| What version of the OA3 tool meets Windows Autopilot deployment requirements? | Windows Autopilot can work with any version of the OA3 tool. We recommend using Windows 10, version 1703 and above to generate the 4K hardware hash. |
-| At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options? | Yes, if they want Windows Autopilot, they will want Windows 10, version 1703 or later versions. Also, they will want to receive the CSV file or have the file upload (that is, registration) completed on their behalf. |
+| What version of the OA3 tool meets Windows Autopilot deployment requirements? | Windows Autopilot can work with any version of the OA3 tool. We recommend using a supported version of Windows 10 semi-annual channel to generate the 4K hardware hash. |
+| At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options? | Yes, if they want Windows Autopilot, they will want a supported version of Windows 10 semi-annual channel. Also, they will want to receive the CSV file or have the file upload (that is, registration) completed on their behalf. |
| Does the OEM need to manage or collect any custom imaging files from customers and perform any image uploads to Microsoft? | No change, OEMs just send the CBRs as usual to Microsoft. No images are sent to Microsoft to enable Windows Autopilot. Windows Autopilot only customizes OOBE and allows policy configurations (disables admin account, for example). |
-| Are there any customer impacts to upgrading from Windows 8 to Windows 10? | The devices must have Windows 10, version 1703 or later to enroll in Windows Autopilot deployment. Otherwise, there are no impacts. |
+| Are there any customer impacts to upgrading from Windows 8 to Windows 10? | The devices must be running a supported version of Windows 10 semi-annual channel to enroll in Windows Autopilot deployment. Otherwise, there are no impacts. |
| Will there be any change to the existing CBR with 4K hardware hash? | No. |
| What new information needs to be sent from the OEM to Microsoft? | Nothing, unless the OEM opts to register the device on the customer’s behalf, in which case they would upload the device ID using a CSV file into Microsoft Partner Center, or use the OEM Direct API. |
| Is there a contract or amendment for an OEM to participate in Windows Autopilot Deployment? | No. |
@@ -67,9 +67,9 @@ A [glossary](#glossary) of abbreviations used in this article is provided at the
| Question | Answer |
| --- | --- |
-| Must every hardware hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address, and unique disk serial number (if using Windows 10, version 1703 and above OEM Activation 3.0 tool)? | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit hardware hashes that meet the outlined requirement. |
+| Must every hardware hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address, and unique disk serial number (if using Windows 10 OEM Activation 3.0 tool)? | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit hardware hashes that meet the outlined requirement. |
| What is the reason for needing the SMBIOS UUID, MAC Address, and Disk Serial Number in the hardware hash details? | For creating the hardware hash, these are the fields that are needed to identify a device, as parts of the device are added or removed. Since we don’t have a unique identifier for Windows devices, this is the best logic to identify a device. |
-| What is difference between OA3 hardware hash, 4K hardware hash, and Windows Autopilot hardware hash? | None. They’re different names for the same thing. The Windows 10, 1703 version of the OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using a non-1703 version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment. |
+| What is difference between OA3 hardware hash, 4K hardware hash, and Windows Autopilot hardware hash? | None. They’re different names for the same thing. The OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using an older, unsupported Windows version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment. |
| What is the thought around parts replacement and repair for the NIC (network interface controller) and Disk? Will the hardware hash become invalid? | Yes. If you replace parts, you need to gather the new hardware hash, though it depends on what is replaced, and the characteristics of the parts. For example, if you replace the TPM or motherboard, it’s a new device and you must have new hardware hash. If you replace one network card, it’s probably not a new device, and the device will function with the old hardware hash. However, as a best practice, you should assume the old hardware hash is invalid and get a new hardware hash after any hardware changes. This is recommended anytime you replace parts. |
## Motherboard replacement
@@ -111,8 +111,8 @@ A [glossary](#glossary) of abbreviations used in this article is provided at the
| --- | --- |
| Must we use Intune for our MDM? | No, any MDM will work with Autopilot, but others probably won’t have the same full suite of Windows Autopilot features as Intune. You’ll get the best experience from Intune. |
| Can Intune support Win32 app preinstalls? | Yes. Starting with the Windows 10 October Update (version 1809), Intune supports Win32 apps using .msi (and .msix) wrappers. |
-| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premises configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile. When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. |
-| Must we use SCCM for Windows Autopilot | No. Co-management (described above) is optional. |
+| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premises configuration tool like Microsoft Endpoint Configuration Manager. You only need to use the Configuration Manager if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + Configuration Manager, you do it by including a Configuration Manager agent in your Intune profile. When that profile is pushed to the device, the device will see the Configuration Manager agent and go out to the Configuration Manager to pull down any additional profile settings. |
+| Must we use Microsoft Endpoint Configuration Manager for Windows Autopilot | No. Co-management (described above) is optional. |
## Features
@@ -131,10 +131,8 @@ A [glossary](#glossary) of abbreviations used in this article is provided at the
|Question|Answer
|------------------|-----------------|
-|If I wipe the machine and restart, will I still receive Windows Autopilot?|Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience.|
-|Can I harvest the device fingerprint on existing machines?|Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.|
-|What is Windows 10, version 1703 7B and why does it matter?| Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients must run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:
Windows Autopilot will not apply its profiles to the machine unless Azure AD credentials match the expected Azure AD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same Azure AD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, you can determine that if the user signs into a domain with a tenant matching the one they registered with, you can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.
**Key takeaways**: When using pre-Windows 10, version 1703 7B clients the user’s domain must match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. |
-|What is the impact of not updating to 7B?|See the detailed scenario described directly above.|
+|If I wipe the machine and restart, will I still receive Windows Autopilot?|Yes, if the device is still registered for Windows Autopilot and is running a supported version of Windows 10 semi-annual channel, it will receive the Windows Autopilot experience.|
+|Can I harvest the device fingerprint on existing machines?|Yes, if the device is running a supported version of Windows 10 semi-annual channel, you can harvest device fingerprints for registration. There are no plans to backport the functionality to legacy releases and no way to harvest them on devices running unsupported versions of Windows.|
|Is Windows Autopilot supported on other SKUs, for example, Surface Hub, HoloLens, Windows Mobile.|No, Windows Autopilot isn’t supported on other SKUs.|
|Does Windows Autopilot work after MBR or image reinstallation?|Yes.|
| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. |There are limits to the number of devices a particular Azure AD user can enroll in Azure AD, as well as the number of devices that are supported per user in Intune. (These are configurable but not infinite.) You’ll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.|
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 42b356bd61..516142c42a 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -39,7 +39,7 @@ The following video provides an overview of the process:
## Prerequisites
These are the things you'll need to complete this lab:
-
Windows 10 installation media
Windows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
+
Windows 10 installation media
Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, semi-annual channel. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
Internet access
If you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
Hyper-V or a physical device running Windows 10
The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.
A Premium Intune account
This guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
diff --git a/windows/deployment/windows-autopilot/deployment-process.md b/windows/deployment/windows-autopilot/deployment-process.md
index 3a8781ce86..6723d50e35 100644
--- a/windows/deployment/windows-autopilot/deployment-process.md
+++ b/windows/deployment/windows-autopilot/deployment-process.md
@@ -1,6 +1,6 @@
---
title: Windows 10 deployment process posters
-description: View and download Windows 10 deployment process flows for System Center Configuration Manager and Windows Autopilot.
+description: View and download Windows 10 deployment process flows for Microsoft Endpoint Configuration Manager and Windows Autopilot.
ms.reviewer:
manager: laurawi
ms.audience: itpro
@@ -24,4 +24,4 @@ Windows Autopilot deployment processes are summarized in the poster below. The p
[](../media/Windows10AutopilotFlowchart.pdf)
-**Note**: The Windows Autopilot for existing devices process is included in the [System Center Configuration Manager deployment poster](../windows-10-deployment-posters.md#deploy-windows-10-with-system-center-configuration-manager).
\ No newline at end of file
+**Note**: The Windows Autopilot for existing devices process is included in the [Microsoft Endpoint Configuration Manager deployment poster](../windows-10-deployment-posters.md#deploy-windows-10-with-microsoft-endpoint-configuration-manager).
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index a5c02be0ef..81cc5bf9a7 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -29,12 +29,12 @@ This topic describes how to convert Windows 7 or Windows 8.1 domain-joined compu
## Prerequisites
-- System Center Configuration Manager Current Branch (1806) OR System Center Configuration Manager Technical Preview (1808)
+- A currently supported version of Microsoft Endpoint Configuration Manager current branch or technical preview branch.
- The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later
- - Note: Config Mgr 1806 or later is required to [support](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10#windows-10-adk) the Windows ADK 1809.
+ - For more information on Configuration Manager support, see [Support for Windows 10 ADK](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10#windows-10-adk).
- Assigned Microsoft Intune Licenses
- Azure Active Directory Premium
-- Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image
+- Windows 10 version 1809 or later imported into Configuration Manager as an Operating System Image
- **Important**: See [Known issues](known-issues.md) if you are using Windows 10 1903 with Configuration Manager’s built-in **Windows Autopilot existing device** task sequence template. Currently, one of the steps in this task sequence must be edited to work properly with Windows 10, version 1903.
## Procedures
@@ -47,7 +47,7 @@ To enable and configure the enrollment and status page:
1. Open [Intune in the Azure portal](https://aka.ms/intuneportal).
2. Access **Intune > Device enrollment > Windows enrollment** and [Set up an enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status).
-3. Access **Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune** and [Configure automatic MDM enrollment](https://docs.microsoft.com/sccm/mdm/deploy-use/enroll-hybrid-windows#enable-windows-10-automatic-enrollment) and configure the MDM user scope for some or all users.
+3. Access **Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune** and [Configure automatic MDM enrollment](https://docs.microsoft.com/configmgr/mdm/deploy-use/enroll-hybrid-windows#enable-windows-10-automatic-enrollment) and configure the MDM user scope for some or all users.
See the following examples.
@@ -138,7 +138,7 @@ See the following examples.
- After saving the file, move the file to a location suitable as an SCCM package source.
+ After saving the file, move the file to a location suitable as a Microsoft Endpoint Configuration Manager package source.
>[!IMPORTANT]
>Multiple JSON profile files can be used, but each must be named **AutopilotConfigurationFile.json** in order for OOBE to follow the Autopilot experience. The file also must be encoded as ANSI.
**Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience**.
@@ -156,7 +156,7 @@ See the following examples.
- Program Type: **Do not create a program**
4. Click **Next** twice and then click **Close**.
-**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Config Mgr package.
+**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Configuration Manager package.
### Create a target collection
@@ -215,7 +215,7 @@ See the following examples.
- Click **Next**.
>[!NOTE]
- >The Autopilot for existing devices task sequence will result in an Azure Active Directory Domain (AAD) joined device. The User State Migration Toolkit (USMT) does not support AAD joined or hybrid AAD joined devices.
+ >Because the Autopilot for existing devices task sequence completes while in Windows PE, User State Migration Toolkit (USMT) data migration is not supported as there is no way to restore the user state into the new OS. Also, the User State Migration Toolkit (USMT) does not support Azure AD-joined devices.
7. On the Include Updates page, choose one of the three available options. This selection is optional.
8. On the Install applications page, add applications if desired. This is optional.
diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md
index 63437b2ab3..f58d814409 100644
--- a/windows/deployment/windows-autopilot/troubleshooting.md
+++ b/windows/deployment/windows-autopilot/troubleshooting.md
@@ -80,9 +80,9 @@ On Windows 10 version 1709 and above, information about the Autopilot profile se
| TenantMatched | This will be set to 1 if the tenant ID of the user matches the tenant ID that the device was registered with. If this is 0, the user would be shown an error and forced to start over. |
| CloudAssignedOobeConfig | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 |
-### Windows 10 version 1703 and above
+### Windows 10 semi-annual channel supported versions
-On Windows 10 version 1703 and above, ETW tracing can be used to capture detailed information from Autopilot and related components. The resulting ETW trace files can then be viewed using the Windows Performance Analyzer or similar tools. See [the advanced troubleshooting blog](https://blogs.technet.microsoft.com/mniehaus/2017/12/13/troubleshooting-windows-autopilot-level-300400/) for more information.
+On devices running a [supported version](https://docs.microsoft.com/windows/release-information/) of Windows 10 semi-annual channel, ETW tracing can be used to capture detailed information from Autopilot and related components. The resulting ETW trace files can then be viewed using the Windows Performance Analyzer or similar tools. See [the advanced troubleshooting blog](https://blogs.technet.microsoft.com/mniehaus/2017/12/13/troubleshooting-windows-autopilot-level-300400/) for more information.
## Troubleshooting Azure AD Join issues
@@ -106,7 +106,7 @@ When a profile is downloaded depends on the version of Windows 10 that is runnin
| Windows 10 version | Profile download behavior |
| --- | --- |
-| 1703 and 1709 | The profile is downloaded after the OOBE network connection page. This page is not displayed when using a wired connection. In this case, the profile is downloaded just prior to the EULA screen. |
+| 1709 | The profile is downloaded after the OOBE network connection page. This page is not displayed when using a wired connection. In this case, the profile is downloaded just prior to the EULA screen. |
| 1803 | The profile is downloaded as soon as possible. If wired, it is downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page. |
| 1809 | The profile is downloaded as soon as possible (same as 1803), and again after each reboot. |
diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md
index e8fdb8a2c2..45520df78e 100644
--- a/windows/deployment/windows-autopilot/user-driven.md
+++ b/windows/deployment/windows-autopilot/user-driven.md
@@ -28,7 +28,7 @@ Windows Autopilot user-driven mode is designed to enable new Windows 10 devices
After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be suppressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available.
-Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
+Today, Windows Autopilot user-driven mode supports Azure Active Directory and Hybrid Azure Active Directory joined devices. See [What is a device identity](https://docs.microsoft.com/azure/active-directory/devices/overview) for more information about these two join options.
## Available user-driven modes
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
index 1b234651ad..338d548271 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -27,7 +27,7 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur
## Software requirements
-- Windows 10 version 1703 (semi-annual channel) or higher is required.
+- A [supported version](https://docs.microsoft.com/windows/release-information/) of Windows 10 semi-annual channel is required. Windows 10 Enterprise 2019 long-term servicing channel (LTSC) is also supported.
- The following editions are supported:
- Windows 10 Pro
- Windows 10 Pro Education
@@ -36,6 +36,9 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur
- Windows 10 Education
- Windows 10 Enterprise 2019 LTSC
+>[!NOTE]
+>Procedures for deploying Windows Autopilot might refer to specific products and versions. The inclusion of these products in this content doesn't imply an extension of support for a version that is beyond its support lifecycle. Windows Autopilot does not support products that are beyond their support lifecycle. For more information, see [Microsoft Lifecycle Policy](https://go.microsoft.com/fwlink/p/?LinkId=208270).
+
## Networking requirements
Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
@@ -118,8 +121,11 @@ Specific scenarios will then have additional requirements. Generally, there are
See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details.
For a walkthrough for some of these and related steps, see this video:
-
-
+
+
+
+
+
There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications).
diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md
index 7079e66d14..a24ff772a4 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot.md
@@ -31,7 +31,7 @@ Windows Autopilot is designed to simplify all parts of the lifecycle of Windows
When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images and drivers for every model of device being used. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features.
-Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state.
+Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, Microsoft Endpoint Configuration Manager, and other similar tools. Windows Autopilot can also be used to re-purpose a device by leveraging Windows Autopilot Reset to quickly prepare a device for a new user, or in break/fix scenarios to enable a device to quickly be brought back to a business-ready state.
Windows Autopilot enables you to:
* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
@@ -58,7 +58,7 @@ From the IT pro's perspective, the only interaction required from the end user i
## Requirements
-Windows 10 version 1703 or higher is required to use Windows Autopilot. See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on software, configuration, network, and licensing requirements.
+A [supported version](https://docs.microsoft.com/windows/release-information/) of Windows 10 semi-annual channel is required to use Windows Autopilot. Windows 10 Enterprise LTSC 2019 is also supported. See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on software, configuration, network, and licensing requirements.
## Related topics
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index 2119a4bb72..b679ecf92c 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -1321,9 +1321,9 @@ The following fields are available:
- **IsEDPEnabled** Represents if Enterprise data protected on the device.
- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
-- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager (SCCM) environment.
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Microsoft Endpoint Configuration Manager environment.
- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
-- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier.
+- **SystemCenterID** The Microsoft Endpoint Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier.
### Census.Firmware
@@ -3129,7 +3129,7 @@ The following fields are available:
- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin.
- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled.
- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
-- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager).
+- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft Endpoint Configuration Manager.
- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely.
- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix.
- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task.
@@ -4528,7 +4528,7 @@ The following fields are available:
- **DeviceIsMdmManaged** This device is MDM managed.
- **IsNetworkAvailable** If the device network is not available.
- **IsNetworkMetered** If network is metered.
-- **IsSccmManaged** This device is SCCM managed.
+- **IsSccmManaged** This device is managed by Microsoft Endpoint Configuration Manager.
- **NewlyInstalledOs** OS is newly installed quiet period.
- **PausedByPolicy** Updates are paused by policy.
- **RecoveredFromRS3** Previously recovered from RS3.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index 8c6ee5c804..e6d8367682 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -3276,7 +3276,7 @@ The following fields are available:
- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin.
- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled.
- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
-- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager).
+- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft Endpoint Configuration Manager.
- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely.
- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix.
- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index 64a869e06a..81f8c0c5fc 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -4604,7 +4604,7 @@ The following fields are available:
- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin.
- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled.
- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
-- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager).
+- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft Endpoint Configuration Manager.
- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely.
- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix.
- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index bbf2e70bfb..8048327d37 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -2994,7 +2994,7 @@ The following fields are available:
- **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network.
- **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device.
- **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device.
-- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date.
+- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft Endpoint Configuration Manager client to keep the operating system and applications up to date.
- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated.
- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications.
- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services).
@@ -5410,7 +5410,7 @@ The following fields are available:
- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
- **RemediationShellDeviceProSku** Indicates whether a Windows 10 Professional edition is detected.
- **RemediationShellDeviceQualityUpdatesPaused** Indicates whether Quality Updates are paused on the device.
-- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager).
+- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft Endpoint Configuration Manager.
- **RemediationShellDeviceSedimentMutexInUse** Indicates whether the Sediment Pack mutual exclusion object (mutex) is in use.
- **RemediationShellDeviceSetupMutexInUse** Indicates whether device setup is in progress.
- **RemediationShellDeviceWuRegistryBlocked** Indicates whether the Windows Update is blocked on the device via the registry.
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index 64cfa25866..c70d65a6ce 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -149,3 +149,20 @@ The **Review problem reports** tool opens, showing you your Windows Error Report
+## Known Issues with Diagnostic Data Viewer
+
+### Microsoft Edge diagnostic data appearing as a blob of text
+
+**Applicable to:** The new Microsoft Edge (v. 79.x.x.x or higher)
+
+**Issue:** In some cases, diagnostic data collected and sent from the New Microsoft Edge fails to be translated by the decoder. When decoding fails, the data appears as a blob of text in the Diagnostic Data Viewer. We are working on a fix for this issue.
+
+**Workaround:**
+
+- Restart your computer and open Diagnostic Data Viewer.
+
+*OR*
+
+- Restart the *DiagTrack* service, through the Services tab in task manager, and open Diagnostic Data Viewer.
+
+**Background:** Some of the diagnostic data collected from the new Microsoft Edge is sent using a Protocol Buffers (protobuf) to reduce network bandwidth and to improve data transfer efficiency. Diagnostic Data Viewer has a decoding capability to translate this protobuf format into human readable text. Due to a bug, sometimes the decoder fails to translate these protobuf messages and hence some of the New Microsoft Edge diagnostic data will appear as a blob of encoded text.
\ No newline at end of file
diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml
index 404538ea70..829cea21b4 100644
--- a/windows/release-information/resolved-issues-windows-10-1607.yml
+++ b/windows/release-information/resolved-issues-windows-10-1607.yml
@@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
Summary
Originating update
Status
Date resolved
+
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call NetQueryDisplayInformation may fail to return results after the first page of data.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.
Internet Explorer 11 and apps using the WebBrowser control may fail to render JavaScript may fail to render as expected in IE11 and in apps using JavaScript or the WebBrowser control.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.
SCVMM cannot enumerate and manage logical switches deployed on the host System Center Virtual Machine Manager cannot enumerate and manage logical switches deployed on managed hosts.
Some applications may fail to run as expected on clients of AD FS 2016 Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)
Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of KB4493473 on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set toDENY.
SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host after installing KB4467684.
Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.
Affected platforms:
Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
IME may become unresponsive or have High CPU usage Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
Domain connected devices that use MIT Kerberos realms will not start up Devices may not start after updating when connected to a domain that is configured to use MIT Kerberos realms.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Windows Mixed Reality Portal users may intermittently receive a 15-5 error code You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not wake up from sleep.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Microsoft Defender Advanced Threat Protection might stop running The Microsoft Defender ATP service might stop running and might fail to send reporting data.
Windows Mixed Reality Portal users may intermittently receive a 15-5 error code You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not wake up from sleep.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Microsoft Defender Advanced Threat Protection might stop running
After installing the optional non-security update (KB4520062), the Microsoft Defender Advanced Threat Protection (ATP) service might stop running and might fail to send reporting data. You might also receive a 0xc0000409 error in Event Viewer on MsSense.exe.
Note Microsoft Windows Defender Antivirus is not affected by this issue.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
Unable to discover or connect to Bluetooth devices using some Realtek adapters Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.
Gamma ramps, color profiles, and night light settings do not apply in some cases Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
Unable to discover or connect to Bluetooth devices using some Qualcomm adapters Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.
Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.
dGPU occasionally disappear from device manager on Surface Book 2 Some apps or games may close or fail to open on Surface Book 2 devices with Nvidia dGPU.
Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start on devices in which the operating system language was changed between updates.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.
RASMAN service may stop working and result in the error “0xc0000005” The RASMAN service may stop working with VPN profiles configured as an Always On VPN connection.
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows LogsinEvent Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.
This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).
To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903
Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903
Server: Windows 10, version 1909; Windows Server, version 1903
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809
Resolution: This issue was resolved with updated drivers from your device manufacturer (OEM) or Intel. The safeguard hold has been removed.
Note If you are still experiencing the issue described, please contact your device manufacturer (OEM).
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.
To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.
MSRT might fail to install and be re-offered from Windows Update or WSUS The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
You may receive an error when opening or using the Toshiba Qosmio AV Center Toshiba Qosmio AV Center may error when opening and you may also receive an error in Event Log related to cryptnet.dll.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from Windows Update (WU), Windows Server Update Services (WSUS) or Configuration Manager and might be re-offered. If you use WU or WSUS, you might also receive the following error in the WindowsUpdate.log, “Misc WARNING: Digital Signatures on file C:\\Windows\\SoftwareDistribution\\Download\\XXXX are not trusted: Error 0x800b0109”. If you use Configuration Manager, you might also receive the following error in the WUAHandler.log, \"Failed to download updates to the WUAgent datastore. Error = 0x800b0109. WUAHandler 14/11/2019 16:33:23 980 (0x03D4)\". Note All Configuration Manager information also applies to System Center Configuration Manager (SCCM) and Microsoft Endpoint Configuration Manager.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in the December 2019 release of Windows Malicious Software Removal Tool (MSRT).
MSRT might fail to install and be re-offered from Windows Update or WSUS The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
Issues manually installing updates by double-clicking the .msu file You may encounter issues manually installing updates by double-clicking the .msu file and may receive an error.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from Windows Update (WU), Windows Server Update Services (WSUS) or Configuration Manager and might be re-offered. If you use WU or WSUS, you might also receive the following error in the WindowsUpdate.log, “Misc WARNING: Digital Signatures on file C:\\Windows\\SoftwareDistribution\\Download\\XXXX are not trusted: Error 0x800b0109”. If you use Configuration Manager, you might also receive the following error in the WUAHandler.log, \"Failed to download updates to the WUAgent datastore. Error = 0x800b0109. WUAHandler 14/11/2019 16:33:23 980 (0x03D4)\". Note All Configuration Manager information also applies to System Center Configuration Manager (SCCM) and Microsoft Endpoint Configuration Manager.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in the December 2019 release of Windows Malicious Software Removal Tool (MSRT).
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
Cluster service may fail if the minimum password length is set to greater than 14 The cluster service may fail to start if “Minimum Password Length” is configured with greater than 14 characters.
Cluster service may fail if the minimum password length is set to greater than 14
After installing KB4467684, the cluster service may fail to start with the error \"2245 (NERR_PasswordTooShort)\" if the Group Policy \"Minimum Password Length\" is configured with greater than 14 characters.
Affected platforms:
Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
Server: Windows Server 2016
Workaround: Set the domain default \"Minimum Password Length\" policy to less than or equal to 14 characters.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Devices with some Asian language packs installed may receive an error Devices with Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
"
diff --git a/windows/release-information/status-windows-10-1909.yml b/windows/release-information/status-windows-10-1909.yml
index 61f2073d2e..36288e57f2 100644
--- a/windows/release-information/status-windows-10-1909.yml
+++ b/windows/release-information/status-windows-10-1909.yml
@@ -21,7 +21,7 @@ sections:
Find information on known issues and the status of the rollout for Windows 10, version 1909 and Windows Server, version 1909. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
Current status as of December 5, 2019:
Windows 10, version 1909 is available for any user on a recent version of Windows 10 who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.
Beginning today, we will slowly start the phased process to automatically initiate a feature update for devices running the October 2018 Update (Windows 10, version 1809) Home and Pro editions, keeping those devices supported and receiving the monthly updates that are critical to device security and ecosystem health. We are starting this rollout process several months in advance of the end of service date to provide adequate time for a smooth update process.
For information on how users running Windows 10, version 1903 can update to Windows 10, version 1909 in a new, streamlined way, see this post.
Note follow @WindowsUpdate on Twitter to find out when new content is published to the release information dashboard.
+
Current status as of January 21, 2020:
Windows 10, version 1909 is available for any user on a recent version of Windows 10 who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.
We are starting the next phase in our controlled approach to automatically initiate a feature update for an increased number of devices running the October 2018 Update (Windows 10, version 1809) Home and Pro editions, keeping those devices supported and receiving the monthly updates that are critical to device security and ecosystem health. Our rollout process starts several months in advance of the end of service date to provide adequate time for a smooth update process.
For information on how users running Windows 10, version 1903 can update to Windows 10, version 1909 in a new, streamlined way, see this post.
Note follow @WindowsUpdate on Twitter to find out when new content is published to the release information dashboard.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
MSRT might fail to install and be re-offered from Windows Update or WSUS The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
MSRT might fail to install and be re-offered from Windows Update or WSUS The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
IA64 and x64 devices may fail to start after installing updates After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.
After installing KB4534310, your desktop wallpaper when set to \"Stretch\" might display as black.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Workaround: To mitigate the issue, you can do one of the following:
Set your custom image to an option other than \"Stretch\", such as “Fill”, “Fit”, “Tile”, or “Center”, or
Choose a custom wallpaper that matches the resolution of your desktop.
Next steps: We are working on a resolution and estimate a solution will be available mid-February, which will be released to all customers running Windows 7 and Windows Server 2008 R2 SP1.
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from Windows Update (WU), Windows Server Update Services (WSUS) or Configuration Manager and might be re-offered. If you use WU or WSUS, you might also receive the following error in the WindowsUpdate.log, “Misc WARNING: Digital Signatures on file C:\\Windows\\SoftwareDistribution\\Download\\XXXX are not trusted: Error 0x800b0109”. If you use Configuration Manager, you might also receive the following error in the WUAHandler.log, \"Failed to download updates to the WUAgent datastore. Error = 0x800b0109. WUAHandler 14/11/2019 16:33:23 980 (0x03D4)\". Note All Configuration Manager information also applies to System Center Configuration Manager (SCCM) and Microsoft Endpoint Configuration Manager.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: You can manually install the November 2019 update for Windows Malicious Software Removal Tool (MSRT) by downloading it here for 32-bit x86-based devices or here for 64-bit x64-based devices. If you are using WSUS or Configuration Manager, guidance can be found here.
Next steps: This issue has been mitigated on the server side and MSRT will no longer offered to affected platforms. We are working on a resolution and estimate a solution will be available in the December 2019 release of Windows Malicious Software Removal Tool (MSRT).
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from Windows Update (WU), Windows Server Update Services (WSUS) or Configuration Manager and might be re-offered. If you use WU or WSUS, you might also receive the following error in the WindowsUpdate.log, “Misc WARNING: Digital Signatures on file C:\\Windows\\SoftwareDistribution\\Download\\XXXX are not trusted: Error 0x800b0109”. If you use Configuration Manager, you might also receive the following error in the WUAHandler.log, \"Failed to download updates to the WUAgent datastore. Error = 0x800b0109. WUAHandler 14/11/2019 16:33:23 980 (0x03D4)\". Note All Configuration Manager information also applies to System Center Configuration Manager (SCCM) and Microsoft Endpoint Configuration Manager.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in the December 2019 release of Windows Malicious Software Removal Tool (MSRT).
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
\"The request was aborted: Could not create SSL/TLS secure Channel\"
SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
MSRT might fail to install and be re-offered from Windows Update or WSUS The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
MSRT might fail to install and be re-offered from Windows Update or WSUS The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from Windows Update (WU), Windows Server Update Services (WSUS) or Configuration Manager and might be re-offered. If you use WU or WSUS, you might also receive the following error in the WindowsUpdate.log, “Misc WARNING: Digital Signatures on file C:\\Windows\\SoftwareDistribution\\Download\\XXXX are not trusted: Error 0x800b0109”. If you use Configuration Manager, you might also receive the following error in the WUAHandler.log, \"Failed to download updates to the WUAgent datastore. Error = 0x800b0109. WUAHandler 14/11/2019 16:33:23 980 (0x03D4)\". Note All Configuration Manager information also applies to System Center Configuration Manager (SCCM) and Microsoft Endpoint Configuration Manager.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: You can manually install the November 2019 update for Windows Malicious Software Removal Tool (MSRT) by downloading it here for 32-bit x86-based devices or here for 64-bit x64-based devices. If you are using WSUS or Configuration Manager, guidance can be found here.
Next steps: This issue has been mitigated on the server side and MSRT will no longer offered to affected platforms. We are working on a resolution and estimate a solution will be available in the December 2019 release of Windows Malicious Software Removal Tool (MSRT).
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from Windows Update (WU), Windows Server Update Services (WSUS) or Configuration Manager and might be re-offered. If you use WU or WSUS, you might also receive the following error in the WindowsUpdate.log, “Misc WARNING: Digital Signatures on file C:\\Windows\\SoftwareDistribution\\Download\\XXXX are not trusted: Error 0x800b0109”. If you use Configuration Manager, you might also receive the following error in the WUAHandler.log, \"Failed to download updates to the WUAgent datastore. Error = 0x800b0109. WUAHandler 14/11/2019 16:33:23 980 (0x03D4)\". Note All Configuration Manager information also applies to System Center Configuration Manager (SCCM) and Microsoft Endpoint Configuration Manager.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in the December 2019 release of Windows Malicious Software Removal Tool (MSRT).
Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
\"The request was aborted: Could not create SSL/TLS secure Channel\"
SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.
"
diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml
index ee042491ec..6cba12b21c 100644
--- a/windows/release-information/windows-message-center.yml
+++ b/windows/release-information/windows-message-center.yml
@@ -38,11 +38,11 @@ sections:
image:
src: http://docs.microsoft.com/media/common/i_article.svg
title: What’s new in Windows 10, version 1909
- - href: https://docs.microsoft.com/windows/windows-10/release-information
- html: Visit the Windows 10 release information page >
+ - href: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376
+ html: Learn more >
image:
- src: https://docs.microsoft.com/media/common/i_download-monitor.svg
- title: Find a list of currently supported versions and previous releases
+ src: https://docs.microsoft.com/media/common/i_investigate.svg
+ title: Windows 10 update servicing cadence
- title: Recent announcements
- items:
@@ -50,6 +50,9 @@ sections:
text: "
Message
Date
+
Windows Search shows blank box
We are aware of a temporary server-side issue causing Windows search to show a blank box. This issue has been resolved for most users and in some cases, you might need to restart your device. We are working diligently to fully resolve the issue and will provide an update once resolved.
The January2020 optional monthly “D” release for Windows 10, version 1909 and Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
January 28, 2020 08:00 AM PT
+
January 2020 Windows \"C\" optional release is available.
The January 2020 optional monthly “C” release for all supported versions of Windows is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
Windows 7 reached end of support on January 14, 2020. If your organization has not yet been able to complete your transition from Windows 7 to Windows 10, and want to continue to receive security updates while you complete your upgrade projects, please read How to get Extended Security Updates for eligible Windows devices. For more information on end of service dates for currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
The January 2020 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
On January 14, 2020, Microsoft released security updates to address an elliptic-curve cryptography (ECC) certificate validation issue in the Windows CryptoAPI. This vulnerability applies to all versions of the Windows 10 operating system, client and server. While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to all of your Windows 10 devices with priority. Here is what you need to know:
If you are running a supported version of Windows 10 and have automatic updates enabled, you are automatically protected and do not need to take any further action.
If you are managing updates on behalf of your organization, you should download the latest updates from the Microsoft Security Update Guide and apply those updates to your Windows 10 devices and servers as soon as possible.
Windows 10, version 1903 starting to roll out to devices running Windows 10, version 1803 and earlier
We are now beginning to build and train the machine learning (ML) based rollout process to update devices running Windows 10, version 1803 (the April 2018 Update) and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates, and improvements.
June 18, 2019 02:00 PM PT
Windows 10, version 1903 available by selecting “Check for updates”
Windows 10, version 1903 is now available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.
June 06, 2019 06:00 PM PT
Windows 10, version 1903 rollout begins The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback.
May 21, 2019 10:00 AM PT
-
What’s new in Windows Update for Business We are enhancing and expanding the capabilities of Windows Update for Business to make the move to the cloud even easier. From simplified branch readiness options to better control over deadlines and reboots, read about the enhancements to Windows Update for Business as a part of Windows 10, version 1903.
May 21, 2019 10:00 AM PT
-
What’s new for businesses and IT pros in Windows 10 Explore the newest capabilities for businesses and IT in the latest feature update in the areas of intelligent security, simplified updates, flexible management, and enhanced productivity.
We strongly recommend that you install the latest servicing stack update (SSU) before installing any Windows update; especially as an SSU may be a prerequisite for some updates. If you have difficulty installing Windows updates, verify that you have installed the latest SSU package for your version of Windows and then try installing the update again. Links to the latest SSU are always provided in the “How to get this update” section of each update KB article (e.g., KB4494441). For more information about SSUs, see our Servicing stack updates guidance.
Today, we released fixes for a critical wormable, remote code execution vulnerability (CVE-2019-0708) in Remote Desktop Services—formerly known as Terminal Services. This vulnerability affects Windows 7, Windows Server 2008 R2, and earlier versions of Windows nearing end of support. It does not affect Windows 8, Windows Server 2012, or newer operating systems. While we have not observed attacks exploiting this vulnerability, affected systems should be patched with priority. Here is what you need to know:
-Call to action:
-
-
If you are running a supported version of Windows and have automatic updates enabled, you are automatically protected and do not need to take any action.
-
If you are managing updates on behalf of your organization, you should download the latest updates from the Microsoft Security Update Guide and apply them to your Windows 7, Windows Server 2008 R2, and Windows Server 2008 devices as soon as possible.
-
-Given the potential impact to customers and their businesses, we have also released security updates for Windows XP and Windows Server 2003, even though these operating systems have reached end of support (except by custom support agreements). While we recommend that you upgrade to the current version of Windows to benefit from the latest security protections, these updates are available from the Microsoft Update Catalog only. For more information, see KB4500705.
-
This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
-
-
April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
-
May 1, 2019 was an \\\"optional,\\\" out of band non-security update (OOB) for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
-
May 3, 2019 was the \\\"optional\\\" Windows 10, version 1809 \\\"C\\\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \\\"required\\\" (instead of \\\"optional\\\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
-
- For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.
-
May 10, 2019 10:00 AM PT
"
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index 50958f0314..0665f58b3c 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -334,7 +334,7 @@ A strong password is assigned to the KRBTGT and trust accounts automatically. Li
Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
-After you reset the KRBTGT password, ensure that event ID 6 in the (Kerberos) Key-Distribution-Center event source is written to the System event log.
+After you reset the KRBTGT password, ensure that event ID 9 in the (Kerberos) Key-Distribution-Center event source is written to the System event log.
### Security considerations
@@ -480,7 +480,7 @@ Each default local account in Active Directory has a number of account settings
Use DES encryption types for this account
Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).
-Note
DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.
+Note
DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 68102f6e49..d0124ff8cf 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -78,9 +78,6 @@ Applications may cause performance issues when they attempt to hook the isolated
Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard.
-See this video: [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
-
-
## Security considerations
All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md
index 0cfbf47cc6..57b0ea0add 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.md
@@ -30,8 +30,8 @@ Microsoft is committed to its vision of a world without passwords. We rec
## Can I use Windows Hello for Business key trust and RDP?
RDP currently does not support key based authentication and does not support self signed certificates. RDP with Windows Hello for Business is currently only supported with certificate based deployments.
-## Can I deploy Windows Hello for Business using System Center Configuration Manager?
-Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no longer be supported after November 2018.
+## Can I deploy Windows Hello for Business using Microsoft Endpoint Configuration Manager?
+Windows Hello for Business deployments using Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using Configuration Manager will no longer be supported after November 2018.
## How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
The maximum number of supported enrollments on a single Windows 10 computer is 10. That enables 10 users to each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 012051d5e2..7de79a7f47 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -162,7 +162,7 @@ Primarily for large enterprise organizations with more complex authentication re
For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
- IT departments to manage work-owned devices from a central location.
- Users to sign in to their devices with their Active Directory work or school accounts.
-Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use System Center Configuration Manager (SCCM) or group policy (GP) to manage them.
+Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use Microsoft Endpoint Configuration Manager or group policy (GP) to manage them.
If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 41d11386b2..bbe8176263 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -55,6 +55,9 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
8. Close the console.
+>[!NOTE]
+>Don't confuse the **Request hash** algorithm with the hash argorithm of the certificate.
+
#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index f1d56f5bb0..3e982143da 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -36,18 +36,6 @@ Windows Hello addresses the following problems with passwords:
## Prerequisites
-> [!Important]
-> 1. Hybrid deployments support non-destructive PIN reset that only works with the certificate trust model..
-> **Requirements:**
-> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
-> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
->
-> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
-> **Requirements:**
-> Reset from settings - Windows 10, version 1703, Professional
-> Reset above lock screen - Windows 10, version 1709, Professional
-> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
-
### Cloud Only Deployment
* Windows 10, version 1511 or later
@@ -75,6 +63,18 @@ The table shows the minimum requirements for each deployment. For key trust in a
| Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect |
| Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment |
+> [!Important]
+> 1. Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
+> **Requirements:**
+> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
+> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
+>
+> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
+> **Requirements:**
+> Reset from settings - Windows 10, version 1703, Professional
+> Reset above lock screen - Windows 10, version 1709, Professional
+> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
+
### On-premises Deployments
The table shows the minimum requirements for each deployment.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
index e2d0822e3c..cb9490e9cd 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -305,7 +305,7 @@ The OMA-URI references for these settings are as follows:
> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.
> [!NOTE]
-> If the **Waiting for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker Drive Encryption wizard.
+> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker Drive Encryption wizard.
If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard.
diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
index 5b2d65942a..116ddd8e14 100644
--- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
+++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
@@ -47,7 +47,7 @@ Microsoft information protection technologies include:
## How WIP protects sensitivity labels with endpoint data loss prevention
You can create and manage [sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) in the Microsoft 365 compliance center.
-When you create a sensitivity label, you can specify that endpoint data loss prevention applies to content with that label.
+When you [create a sensitivity label](https://docs.microsoft.com/microsoft-365/compliance/create-sensitivity-labels), you can specify that endpoint data loss prevention applies to content with that label.
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 3e55222065..e37e6d8711 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -34,8 +34,11 @@
#### [Web protection]()
##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
-##### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
-##### [Respond to web threats](microsoft-defender-atp/web-protection-response.md)
+##### [Web threat protection]()
+###### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md)
+###### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
+###### [Respond to web threats](microsoft-defender-atp/web-protection-response.md)
+##### [Web content filtering](microsoft-defender-atp/web-content-filtering.md)
#### [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
#### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md)
@@ -114,7 +117,7 @@
#### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
#### [Advanced hunting schema reference]()
##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
-##### [AlertEvents](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
+##### [DeviceAlertEvents](microsoft-defender-atp/advanced-hunting-devicealertevents-table.md)
##### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md)
##### [DeviceImageLoadEvents](microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md)
##### [DeviceLogonEvents](microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md)
@@ -153,6 +156,15 @@
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
+
+## [Deployment guide]()
+### [Product brief](microsoft-defender-atp/product-brief.md)
+### [Prepare deployment](microsoft-defender-atp/prepare-deployment.md)
+### [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
+### [Production deployment](microsoft-defender-atp/production-deployment.md)
+### [Helpful resources](microsoft-defender-atp/helpful-resources.md)
+
+
## [Get started]()
### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md)
@@ -391,6 +403,9 @@
####### [Get machine by ID](microsoft-defender-atp/get-machine-by-id.md)
####### [Get machine log on users](microsoft-defender-atp/get-machine-log-on-users.md)
####### [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md)
+####### [Get installed software](microsoft-defender-atp/get-installed-software.md)
+####### [Get discovered vulnerabilities](microsoft-defender-atp/get-discovered-vulnerabilities.md)
+####### [Get security recommendation](microsoft-defender-atp/get-security-recommendations.md)
####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
@@ -441,6 +456,34 @@
####### [Get user related alerts](microsoft-defender-atp/get-user-related-alerts.md)
####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
+###### [Score]()
+####### [Score methods and properties](microsoft-defender-atp/score.md)
+####### [List exposure score by machine group](microsoft-defender-atp/get-machine-group-exposure-score.md)
+####### [Get exposure score](microsoft-defender-atp/get-exposure-score.md)
+####### [Get device secure score](microsoft-defender-atp/get-device-secure-score.md)
+
+###### [Software]()
+####### [Software methods and properties](microsoft-defender-atp/software.md)
+####### [List software](microsoft-defender-atp/get-software.md)
+####### [Get software by Id](microsoft-defender-atp/get-software-by-id.md)
+####### [List software version distribution](microsoft-defender-atp/get-software-ver-distribution.md)
+####### [List machines by software](microsoft-defender-atp/get-machines-by-software.md)
+####### [List vulnerabilities by software](microsoft-defender-atp/get-vuln-by-software.md)
+
+###### [Vulnerability]()
+####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
+####### [Get all vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
+####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md)
+####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md)
+
+###### [Recommendation]()
+####### [Recommendation methods and properties](microsoft-defender-atp/recommendation.md)
+####### [List all recommendations](microsoft-defender-atp/get-all-recommendations.md)
+####### [Get recommendation by Id](microsoft-defender-atp/get-recommendation-by-id.md)
+####### [Get recommendation by software](microsoft-defender-atp/get-recommendation-software.md)
+####### [Get recommendation by machines](microsoft-defender-atp/get-recommendation-machines.md)
+####### [Get recommendation by vulnerabilities](microsoft-defender-atp/get-recommendation-vulnerabilities.md)
+
##### [How to use APIs - Samples]()
###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md)
###### [Power BI](microsoft-defender-atp/api-power-bi.md)
@@ -448,11 +491,18 @@
###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
+#### [Windows updates (KB) info]()
+##### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection.md)
+
+#### [Common Vulnerabilities and Exposures (CVE) to KB map]()
+##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md)
+
+#### [Pull detections to your SIEM tools]()
#### [Raw data streaming API]()
##### [Raw data streaming (preview)](microsoft-defender-atp/raw-data-export.md)
##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
-
+
#### [SIEM integration]()
##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
similarity index 78%
rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
index c7fd28fc75..50d1242878 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
@@ -1,7 +1,7 @@
---
-title: AlertEvents table in the advanced hunting schema
-description: Learn about alert generation events in the AlertEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, alertevents, alert, severity, category
+title: DeviceAlertEvents table in the advanced hunting schema
+description: Learn about alert generation events in the DeviceAlertEvents table of the advanced hunting schema
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, DeviceAlertEvents, alert, severity, category
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -15,10 +15,10 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 10/08/2019
+ms.date: 01/22/2020
---
-# AlertEvents
+# DeviceAlertEvents
**Applies to:**
@@ -26,7 +26,7 @@ ms.date: 10/08/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-The `AlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
+The `DeviceAlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md
index e12b58d2c7..f386c93d96 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md
@@ -39,7 +39,7 @@ For information on other tables in the advanced hunting schema, see [the advance
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
| `IsSigned` | boolean | Indicates whether the file is signed |
-| `SignatureType` | string | Indicates whether signature information was read as embedded | content in the file itself or read from an external catalog file |
+| `SignatureType` | string | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file |
| `Signer` | string | Information about the signer of the file |
| `SignerHash` | string | Unique hash value identifying the signer |
| `Issuer` | string | Information about the issuing certificate authority (CA) |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
index d57a965bcf..fe1f719c73 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
@@ -26,7 +26,7 @@ ms.date: 10/08/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-The `DeviceImageLoadEvents table` in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
+The `DeviceImageLoadEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
index 8eb7542ce5..6e13b372ef 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@@ -37,7 +37,7 @@ Table and column names are also listed within the Microsoft Defender Security Ce
| Table name | Description |
|------------|-------------|
-| **[AlertEvents](advanced-hunting-alertevents-table.md)** | Alerts on Microsoft Defender Security Center |
+| **[DeviceAlertEvents](advanced-hunting-devicealertevents-table.md)** | Alerts on Microsoft Defender Security Center |
| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Machine information, including OS information |
| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
| **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
index 9efd108ce9..5af1cfe1f1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
@@ -28,7 +28,7 @@ ms.date: 11/12/2019
[!include[Prerelease information](../../includes/prerelease.md)]
-The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
+The `DeviceTvmSoftwareVulnerabilitiesKB` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
index 8be692ccbc..a040722887 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@@ -74,3 +74,8 @@ See how you can [improve your security configuration](https://docs.microsoft.com
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
index bff2f62710..c3f4376a4a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
@@ -1,7 +1,7 @@
---
title: Onboarding tools and methods for Windows 10 machines
description: Onboard Windows 10 machines so that they can send sensor data to the Microsoft Defender ATP sensor
-keywords: Onboard Windows 10 machines, group policy, system center configuration manager, mobile device management, local script, gp, sccm, mdm, intune
+keywords: Onboard Windows 10 machines, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -31,7 +31,7 @@ Machines in your organization must be configured so that the Microsoft Defender
The following deployment tools and methods are supported:
- Group Policy
-- System Center Configuration Manager
+- Microsoft Endpoint Configuration Manager
- Mobile Device Management (including Microsoft Intune)
- Local script
@@ -39,7 +39,7 @@ The following deployment tools and methods are supported:
Topic | Description
:---|:---
[Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on machines.
-[Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on machines.
+[Onboard Windows machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on machines.
[Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on machine.
[Onboard Windows 10 machines using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints.
[Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI machines.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index 698e0aeb8d..c8ddf79198 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -105,20 +105,24 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443:
> [!NOTE]
-> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later.
+> settings-win.data.microsoft.com is only needed if you have Windows 10 machines running version 1803 or earlier.
+> URLs that include v20 in them are only needed if you have Windows 10 machines running version 1803 or later. For example, ```us-v20.events.data.microsoft.com``` is needed for a Windows 10 machine running version 1803 or later and onboarded to US Data Storage region.
Service location | Microsoft.com DNS record
-|-
Common URLs for all locations | ```crl.microsoft.com``` ```ctldl.windowsupdate.com``` ```events.data.microsoft.com``` ```notify.windows.com``` ```settings-win.data.microsoft.com```
-European Union | ```eu.vortex-win.data.microsoft.com``` ```eu-v20.events.data.microsoft.com``` ```usseu1northprod.blob.core.windows.net``` ```usseu1westprod.blob.core.windows.net``` ```winatp-gw-neu.microsoft.com``` ```winatp-gw-weu.microsoft.com``` ```wseu1northprod.blob.core.windows.net``` ```wseu1westprod.blob.core.windows.net```
-United Kingdom | ```uk.vortex-win.data.microsoft.com``` ```uk-v20.events.data.microsoft.com``` ```ussuk1southprod.blob.core.windows.net``` ```ussuk1westprod.blob.core.windows.net``` ```winatp-gw-uks.microsoft.com``` ```winatp-gw-ukw.microsoft.com``` ```wsuk1southprod.blob.core.windows.net``` ```wsuk1westprod.blob.core.windows.net```
-United States | ```us.vortex-win.data.microsoft.com``` ```ussus1eastprod.blob.core.windows.net``` ```ussus1westprod.blob.core.windows.net``` ```ussus2eastprod.blob.core.windows.net``` ```ussus2westprod.blob.core.windows.net``` ```ussus3eastprod.blob.core.windows.net``` ```ussus3westprod.blob.core.windows.net``` ```ussus4eastprod.blob.core.windows.net``` ```ussus4westprod.blob.core.windows.net``` ```us-v20.events.data.microsoft.com``` ```winatp-gw-cus.microsoft.com``` ```winatp-gw-eus.microsoft.com``` ```wsus1eastprod.blob.core.windows.net``` ```wsus1westprod.blob.core.windows.net``` ```wsus2eastprod.blob.core.windows.net``` ```wsus2westprod.blob.core.windows.net```
+European Union | ```eu.vortex-win.data.microsoft.com``` ```eu-v20.events.data.microsoft.com``` ```usseu1northprod.blob.core.windows.net``` ```usseu1westprod.blob.core.windows.net``` ```winatp-gw-neu.microsoft.com``` ```winatp-gw-weu.microsoft.com``` ```wseu1northprod.blob.core.windows.net``` ```wseu1westprod.blob.core.windows.net``` ```automatedirstrprdweu.blob.core.windows.net``` ```automatedirstrprdneu.blob.core.windows.net```
+United Kingdom | ```uk.vortex-win.data.microsoft.com``` ```uk-v20.events.data.microsoft.com``` ```ussuk1southprod.blob.core.windows.net``` ```ussuk1westprod.blob.core.windows.net``` ```winatp-gw-uks.microsoft.com``` ```winatp-gw-ukw.microsoft.com``` ```wsuk1southprod.blob.core.windows.net``` ```wsuk1westprod.blob.core.windows.net``` ```automatedirstrprduks.blob.core.windows.net``` ```automatedirstrprdukw.blob.core.windows.net```
+United States | ```us.vortex-win.data.microsoft.com``` ```ussus1eastprod.blob.core.windows.net``` ```ussus1westprod.blob.core.windows.net``` ```ussus2eastprod.blob.core.windows.net``` ```ussus2westprod.blob.core.windows.net``` ```ussus3eastprod.blob.core.windows.net``` ```ussus3westprod.blob.core.windows.net``` ```ussus4eastprod.blob.core.windows.net``` ```ussus4westprod.blob.core.windows.net``` ```us-v20.events.data.microsoft.com``` ```winatp-gw-cus.microsoft.com``` ```winatp-gw-eus.microsoft.com``` ```wsus1eastprod.blob.core.windows.net``` ```wsus1westprod.blob.core.windows.net``` ```wsus2eastprod.blob.core.windows.net``` ```wsus2westprod.blob.core.windows.net``` ```automatedirstrprdcus.blob.core.windows.net``` ```automatedirstrprdeus.blob.core.windows.net```
+
+> [!NOTE]
+> If you are using Windows Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Windows Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
## Microsoft Defender ATP service backend IP range
-If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
+If your network devices don't support the URLs white-listed in the prior section, you can use the following information.
Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
@@ -139,9 +143,9 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https:
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs.
-1. Download the [connectivity verification tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on.
+1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on.
-2. Extract the contents of MDATPClientAnalyzer on the machine.
+2. Extract the contents of MDATPClientAnalyzer.zip on the machine.
3. Open an elevated command-line:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 08b54bfbe4..f6e320c931 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -129,7 +129,7 @@ Once completed, you should see onboarded servers in the portal within an hour.
To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below.
> [!NOTE]
-> The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script. For more information on how to deploy scripts in System Center Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs).
+> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Microsoft Endpoint Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
Supported tools include:
- Local script
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index ae15f3e5c4..9cb8182798 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -25,13 +25,13 @@ ms.custom: asr
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the System Center Configuration Manager (SCCM) and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the Microsoft Endpoint Configuration Manager and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of trusted software. If an app isn't on the list, Controlled folder access will block it from making changes to files inside protected folders.
Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list.
-Apps can also be manually added to the trusted list via SCCM and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console.
+Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console.
Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index 80c8e25156..1b8c03d660 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -33,11 +33,11 @@ You can enable attack surface reduction rules by using any of these methods:
* [Microsoft Intune](#intune)
* [Mobile Device Management (MDM)](#mdm)
-* [System Center Configuration Manager (SCCM)](#sccm)
+* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
-Enterprise-level management such as Intune or SCCM is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
+Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
## Exclude files and folders from ASR rules
@@ -99,9 +99,9 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
> [!NOTE]
> Be sure to enter OMA-URI values without spaces.
-## SCCM
+## Microsoft Endpoint Configuration Manager
-1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
1. Click **Home** > **Create Exploit Guard Policy**.
1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
1. Choose which rules will block or audit actions and click **Next**.
@@ -111,7 +111,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
## Group Policy
> [!WARNING]
-> If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
+> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -134,7 +134,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
## PowerShell
>[!WARNING]
->If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
+>If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index 40cbdce038..f78270d508 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -30,7 +30,7 @@ You can enable controlled folder access by using any of these methods:
* [Windows Security app](#windows-security-app)
* [Microsoft Intune](#intune)
* [Mobile Device Management (MDM)](#mdm)
-* [System Center Configuration Manager (SCCM)](#sccm)
+* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
@@ -78,9 +78,9 @@ For more information about disabling local list merging, see [Prevent or allow u
Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
-## SCCM
+## Microsoft Endpoint Configuration Manager
-1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
2. Click **Home** > **Create Exploit Guard Policy**.
3. Enter a name and a description, click **Controlled folder access**, and click **Next**.
4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
@@ -98,14 +98,16 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
+ * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
* **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
* **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
+ * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123.
+ * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders will not be recorded.
- 
+ 
> [!IMPORTANT]
-> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and select **Block** in the options drop-down menu.
## PowerShell
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 36853a0451..9c926b6d06 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -32,12 +32,12 @@ Many features from the Enhanced Mitigation Experience Toolkit (EMET) are include
You can enable each mitigation separately by using any of these methods:
-- [Windows Security app](#windows-security-app)
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Windows Security app](#windows-security-app)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
@@ -121,14 +121,14 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab
Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode.
-## SCCM
+## Microsoft Endpoint Configuration Manager
-1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-2. Click **Home** > **Create Exploit Guard Policy**.
-3. Enter a name and a description, click **Exploit protection**, and click **Next**.
-4. Browse to the location of the exploit protection XML file and click **Next**.
-5. Review the settings and click **Next** to create the policy.
-6. After the policy is created, click **Close**.
+1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. Click **Home** > **Create Exploit Guard Policy**.
+1. Enter a name and a description, click **Exploit protection**, and click **Next**.
+1. Browse to the location of the exploit protection XML file and click **Next**.
+1. Review the settings and click **Next** to create the policy.
+1. After the policy is created, click **Close**.
## Group Policy
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index 7f23be0e27..db54d852de 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -30,7 +30,7 @@ You can enable network protection by using any of these methods:
* [Microsoft Intune](#intune)
* [Mobile Device Management (MDM)](#mdm)
-* [System Center Configuration Manager (SCCM)](#sccm)
+* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
@@ -49,9 +49,9 @@ You can enable network protection by using any of these methods:
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
-## SCCM
+## Microsoft Endpoint Configuration Manager
-1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
1. Click **Home** > **Create Exploit Guard Policy**.
1. Enter a name and a description, click **Network protection**, and click **Next**.
1. Choose whether to block or audit access to suspicious domains and click **Next**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
index 5f8fc8a0da..da28a46770 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
@@ -46,7 +46,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
> [!TIP]
> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
+You can also use Group Policy, Intune, MDM, or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
## Review controlled folder access events in Windows Event Viewer
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index ccab9e8250..42ce3aa2b6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -127,8 +127,8 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself"
You can also use [Advanced hunting](advanced-hunting-query-language.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats.
->[!NOTE]
->The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
+> [!NOTE]
+> The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
1. Connect to your machine and run an attack simulation by selecting **Connect**.
@@ -179,4 +179,3 @@ Your feedback helps us get better in protecting your environment from advanced a
Let us know what you think, by selecting **Provide feedback**.
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
index c91de23386..8c836888bb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
@@ -57,6 +57,10 @@ Machines | Run API calls such as get machines, get machines by ID, information a
Machine Actions | Run API call such as Isolation, Run anti-virus scan and more.
Indicators | Run API call such as create Indicator, get Indicators and delete Indicators.
Users | Run API calls such as get user related alerts and user related machines.
+Score | Run API calls such as get exposure score or get device secure score.
+Software | Run API calls such as list vulnerabilities by software.
+Vulnerability | Run API calls such as list machines by vulnerability.
+Recommendation | Run API calls such as Get recommendation by Id.
## Related topic
- [Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
new file mode 100644
index 0000000000..1735811830
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
@@ -0,0 +1,108 @@
+---
+title: List all recommendations
+description: Retrieves a list of all security recommendations affecting the organization.
+keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List all recommendations
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of all security recommendations affecting the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+Content-type: json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
+ "value": [
+ {
+ "id": "va-_-microsoft-_-windows_10",
+ "productName": "windows_10",
+ "recommendationName": "Update Windows 10",
+ "weaknesses": 397,
+ "vendor": "microsoft",
+ "recommendedVersion": "",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": true,
+ "activeAlert": false,
+ "associatedThreats": [
+ "3098b8ef-23b1-46b3-aed4-499e1928f9ed",
+ "40c189d5-0330-4654-a816-e48c2b7f9c4b",
+ "4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
+ "e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
+ "94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
+ ],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 7.674418604651163,
+ "totalMachineCount": 37,
+ "exposedMachinesCount": 7,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Windows 10"
+ }
+ ]
+}
+```
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
new file mode 100644
index 0000000000..e0e4243d76
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
@@ -0,0 +1,96 @@
+---
+title: Get all vulnerabilities
+description: Retrieves a list of all the vulnerabilities affecting the organization
+keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get all vulnerabilities
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of all the vulnerabilities affecting the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of vulnerabilities in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+Content-type: json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities",
+ "value": [
+ {
+ "id": "CVE-2019-0608",
+ "name": "CVE-2019-0608",
+ "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 4,
+ "publishedOn": "2019-10-08T00:00:00Z",
+ "updatedOn": "2019-12-16T16:20:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ]
+ {
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
new file mode 100644
index 0000000000..dfd844de6b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
@@ -0,0 +1,84 @@
+---
+title: Get Device Secure score
+description: Retrieves the organizational device secure score.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get Device Secure score
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves the organizational device secure score.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+## HTTP request
+```
+GET /api/configurationScore
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with the with device secure score data in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/configurationScore
+```
+
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
+ "time": "2019-12-03T09:15:58.1665846Z",
+ "score": 340,
+ "rbacGroupId": null
+}
+```
+
+## Related topics
+- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
new file mode 100644
index 0000000000..f41e0af06d
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
@@ -0,0 +1,93 @@
+---
+title: Get discovered vulnerabilities
+description: Retrieves a collection of discovered vulnerabilities related to a given machine ID.
+keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get discovered vulnerabilities
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of discovered vulnerabilities related to a given machine ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the discovered vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2019-1348",
+ "name": "CVE-2019-1348",
+ "description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an attacker could exploit this vulnerability to overwrite arbitrary paths.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 1,
+ "publishedOn": "2019-12-13T00:00:00Z",
+ "updatedOn": "2019-12-13T00:00:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
new file mode 100644
index 0000000000..f57f5e53cf
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
@@ -0,0 +1,89 @@
+---
+title: Get exposure score
+description: Retrieves the organizational exposure score.
+keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get exposure score
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves the organizational exposure score.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+
+## HTTP request
+```
+GET /api/exposureScore
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with the exposure data in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/exposureScore
+```
+
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
+ "time": "2019-12-03T07:23:53.280499Z",
+ "score": 33.491554051195706,
+ "rbacGroupId": null
+}
+
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
new file mode 100644
index 0000000000..9263243f0d
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
@@ -0,0 +1,89 @@
+---
+title: Get installed software
+description: Retrieves a collection of installed software related to a given machine ID.
+keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per machine, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get installed software
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of installed software related to a given machine ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the installed software information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software",
+"value": [
+ {
+"id": "microsoft-_-internet_explorer",
+"name": "internet_explorer",
+"vendor": "microsoft",
+"weaknesses": 67,
+"publicExploit": true,
+"activeAlert": false,
+"exposedMachines": 42115,
+"impactScore": 46.2037163
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
new file mode 100644
index 0000000000..a85a0bc44e
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
@@ -0,0 +1,100 @@
+---
+title: List exposure score by machine group
+description: Retrieves a list of exposure scores by machine group.
+keywords: apis, graph api, supported apis, get, exposure score, machine group, machine group exposure score
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List exposure score by machine group
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of alerts related to a given domain address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+## HTTP request
+```
+GET /api/exposureScore/ByMachineGroups
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with a list of exposure score per machine group data in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/exposureScore/ByMachineGroups
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore",
+ "value": [
+ {
+ "time": "2019-12-03T09:51:28.214338Z",
+ "score": 41.38041766305988,
+ "rbacGroupId": 10
+ },
+ {
+ "time": "2019-12-03T09:51:28.2143399Z",
+ "score": 37.403726933165366,
+ "rbacGroupId": 11
+ },
+ {
+ "time": "2019-12-03T09:51:28.2143407Z",
+ "score": 26.390921344426033,
+ "rbacGroupId": 9
+ },
+ {
+ "time": "2019-12-03T09:51:28.2143414Z",
+ "score": 23.58823563070858,
+ "rbacGroupId": 5
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
new file mode 100644
index 0000000000..81d6659101
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
@@ -0,0 +1,92 @@
+---
+title: List machines by software
+description: Retrieve a list of machines that has this software installed.
+keywords: apis, graph api, supported apis, get, list machines, machines list, list machines by software, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List machines by software
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieve a list of machines that has this software installed.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/machineReferences
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK and a list of machines with the software installed in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
+ "computerDnsName": "dave_desktop",
+ "osPlatform": "Windows10",
+ "rbacGroupId": 9
+ },
+ {
+ "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
+ "computerDnsName": "jane_PC",
+ "osPlatform": "Windows10",
+ "rbacGroupId": 9
+ }
+]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
new file mode 100644
index 0000000000..5ee5fe1b47
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
@@ -0,0 +1,92 @@
+---
+title: List machines by vulnerability
+description: Retrieves a list of machines affected by a vulnerability.
+keywords: apis, graph api, supported apis, get, machines list, vulnerable machines, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List machines by vulnerability
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of machines affected by a vulnerability.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities/{cveId}/machineReferences
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+Content-type: json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "235a2e6278c63fcf85bab9c370396972c58843de",
+ "computerDnsName": "h1mkn_PC",
+ "osPlatform": "Windows10",
+ "rbacGroupId": 1268
+ },
+ {
+ "id": "afb3f807d1a185ac66668f493af028385bfca184",
+ "computerDnsName": "chat_Desk ",
+ "osPlatform": "Windows10",
+ "rbacGroupId": 410
+ }
+ ]
+ }
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
new file mode 100644
index 0000000000..6a56d41c99
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
@@ -0,0 +1,97 @@
+---
+title: Get recommendation by Id
+description: Retrieves a security recommendation by its ID.
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by ID
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a security recommendation by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+Content-type: json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity",
+ "id": "va-_-google-_-chrome",
+ "productName": "chrome",
+ "recommendationName": "Update Chrome",
+ "weaknesses": 38,
+ "vendor": "google",
+ "recommendedVersion": "",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": false,
+ "activeAlert": false,
+ "associatedThreats": [],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 3.9441860465116285,
+ "totalMachineCount": 6,
+ "exposedMachinesCount": 5,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Chrome"
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
new file mode 100644
index 0000000000..d74dc47279
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@@ -0,0 +1,84 @@
+---
+title: Get recommendation by machines
+description: Retrieves a list of machines associated with the security recommendation.
+keywords: apis, graph api, supported apis, get, security recommendation for vulnerable machines, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by machines
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of machines associated with the security recommendation.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/machineReferences
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of machines associated with the security recommendation.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
+ "computerDnsName": "niw_pc",
+ "osPlatform": "Windows10",
+ "rbacGroupId": 2154
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
new file mode 100644
index 0000000000..de192c1e9f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
@@ -0,0 +1,85 @@
+---
+title: Get recommendation by software
+description: Retrieves a security recommendation related to a specific software.
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by software
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a security recommendation related to a specific software.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+Content-type: json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
+ "id": "google-_-chrome",
+ "name": "chrome",
+ "vendor": "google",
+ "weaknesses": 38,
+ "publicExploit": false,
+ "activeAlert": false,
+ "exposedMachines": 5,
+ "impactScore": 3.94418621
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
new file mode 100644
index 0000000000..c9ca363c20
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
@@ -0,0 +1,94 @@
+---
+title: Get recommendation by vulnerabilities
+description: Retrieves a list of vulnerabilities associated with the security recommendation.
+keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by vulnerabilities
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of vulnerabilities associated with the security recommendation.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+Content-type: json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2019-13748",
+ "name": "CVE-2019-13748",
+ "description": "Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
+ "severity": "Medium",
+ "cvssV3": 6.5,
+ "exposedMachines": 0,
+ "publishedOn": "2019-12-10T00:00:00Z",
+ "updatedOn": "2019-12-16T12:15:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
new file mode 100644
index 0000000000..61ca64ff6b
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
@@ -0,0 +1,101 @@
+---
+title: Get security recommendations
+description: Retrieves a collection of security recommendations related to a given machine ID.
+keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per machine, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get security recommendations
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of security recommendations related to a given machine ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/recommendations
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
+ "value": [
+ {
+ "id": "va-_-git-scm-_-git",
+ "productName": "git",
+ "recommendationName": "Update Git to version 2.24.1.2",
+ "weaknesses": 3,
+ "vendor": "git-scm",
+ "recommendedVersion": "2.24.1.2",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": false,
+ "activeAlert": false,
+ "associatedThreats": [],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 0,
+ "totalMachineCount": 0,
+ "exposedMachinesCount": 1,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Git"
+ },
+…
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
new file mode 100644
index 0000000000..c57fe74368
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
@@ -0,0 +1,86 @@
+---
+title: Get software by Id
+description: Retrieves a list of exposure scores by machine group.
+keywords: apis, graph api, supported apis, get, software, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get software by Id
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves software details by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the specified software data in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity",
+ "id": "microsoft-_-edge",
+ "name": "edge",
+ "vendor": "microsoft",
+ "weaknesses": 467,
+ "publicExploit": true,
+ "activeAlert": false,
+ "exposedMachines": 172,
+ "impactScore": 2.39947438
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
new file mode 100644
index 0000000000..2ba8c06b69
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
@@ -0,0 +1,90 @@
+---
+title: List software version distribution
+description: Retrieves a list of your organization's software version distribution
+keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List software version distribution
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of your organization's software version distribution.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/distributions
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with a list of software distributions data in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions",
+ "value": [
+ {
+ "version": "11.0.17134.1039",
+ "installations": 1,
+ "vulnerabilities": 11
+ },
+ {
+ "version": "11.0.18363.535",
+ "installations": 750,
+ "vulnerabilities": 0
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
new file mode 100644
index 0000000000..1ec2bcccd1
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
@@ -0,0 +1,89 @@
+---
+title: List software
+description: Retrieves a list of software inventory
+keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List software inventory API
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves the organization software inventory.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the software inventory in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software",
+ "value": [
+ {
+ "id": "microsoft-_-edge",
+ "name": "edge",
+ "vendor": "microsoft",
+ "weaknesses": 467,
+ "publicExploit": true,
+ "activeAlert": false,
+ "exposedMachines": 172,
+ "impactScore": 2.39947438
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
new file mode 100644
index 0000000000..6fa52754b7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
@@ -0,0 +1,92 @@
+---
+title: List vulnerabilities by software
+description: Retrieve a list of vulnerabilities in the installed software.
+keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities by software
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieve a list of vulnerabilities in the installed software.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/vulnerabilities
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2017-0140",
+ "name": "CVE-2017-0140",
+ "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
+ "severity": "Medium",
+ "cvssV3": 4.2,
+ "exposedMachines": 1,
+ "publishedOn": "2017-03-14T00:00:00Z",
+ "updatedOn": "2019-10-03T00:03:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ]
+}
+```
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
new file mode 100644
index 0000000000..e4ccb6c433
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
@@ -0,0 +1,89 @@
+---
+title: Get vulnerability by Id
+description: Retrieves vulnerability information by its ID.
+keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get vulnerability by ID
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves vulnerability information by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities/{cveId}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+Content-type: json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity",
+ "id": "CVE-2019-0608",
+ "name": "CVE-2019-0608",
+ "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 4,
+ "publishedOn": "2019-10-08T00:00:00Z",
+ "updatedOn": "2019-12-16T16:20:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+}
+```
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
new file mode 100644
index 0000000000..30e6e789bd
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
@@ -0,0 +1,60 @@
+---
+title: Helpful Microsoft Defender Advanced Threat Protection resources
+description: Access helpful resources such as links to blogs and other resources related to Microsoft Defender Advanced Threat Protection
+keywords: Microsoft Defender Security Center, product brief, brief, capabilities, licensing
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Helpful Microsoft Defender Advanced Threat Protection resources
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Access helpful resources such as links to blogs and other resources related to Microsoft Defender Advanced Threat Protection.
+
+## Endpoint protection platform
+- [Top scoring in industry
+ tests](https://docs.microsoft.com/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests)
+
+- [Inside out: Get to know the advanced technologies at the core of Microsoft
+ Defender ATP next generation
+ protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/)
+
+- [Protecting disconnected devices with Microsoft Defender
+ ATP](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341)
+
+- [Tamper protection in Microsoft Defender
+ ATP](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571)
+
+## Endpoint Detection Response
+
+- [Incident response at your fingertips with Microsoft Defender ATP live
+ response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894)
+
+## Threat Vulnerability Management
+
+- [Microsoft Defender ATP Threat & Vulnerability Management now publicly
+ available!](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/MDATP-Threat-amp-Vulnerability-Management-now-publicly-available/ba-p/460977)
+
+## Operational
+
+- [The Golden Hour remake - Defining metrics for a successful security
+ operations](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/The-Golden-Hour-remake-Defining-metrics-for-a-successful/ba-p/782014)
+
+- [Microsoft Defender ATP Evaluation lab is now available in public preview
+ ](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-Evaluation-lab-is-now-available-in-public/ba-p/770271)
+
+- [How automation brings value to your security
+ teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/09833d16df7f37eda97ea1d5009b651a.png b/windows/security/threat-protection/microsoft-defender-atp/images/09833d16df7f37eda97ea1d5009b651a.png
new file mode 100644
index 0000000000..abea5e0e79
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/09833d16df7f37eda97ea1d5009b651a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0a6536f2c4024c08709cac8fcf800060.png b/windows/security/threat-protection/microsoft-defender-atp/images/0a6536f2c4024c08709cac8fcf800060.png
new file mode 100644
index 0000000000..6ecfd587f2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0a6536f2c4024c08709cac8fcf800060.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0ccfe3e803be4b56c668b220b51da7f7.png b/windows/security/threat-protection/microsoft-defender-atp/images/0ccfe3e803be4b56c668b220b51da7f7.png
new file mode 100644
index 0000000000..03b88ba1b1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0ccfe3e803be4b56c668b220b51da7f7.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/112a19b825f4e7b60795ffbd1be52fa9.png b/windows/security/threat-protection/microsoft-defender-atp/images/112a19b825f4e7b60795ffbd1be52fa9.png
new file mode 100644
index 0000000000..0fd52ae187
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/112a19b825f4e7b60795ffbd1be52fa9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/13201b477bc9a9ae0020814915fe80cc.png b/windows/security/threat-protection/microsoft-defender-atp/images/13201b477bc9a9ae0020814915fe80cc.png
new file mode 100644
index 0000000000..f09c0502a5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/13201b477bc9a9ae0020814915fe80cc.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1566ad81bae3d714cc9e0d47575a8cbd.png b/windows/security/threat-protection/microsoft-defender-atp/images/1566ad81bae3d714cc9e0d47575a8cbd.png
new file mode 100644
index 0000000000..a28b8fdac5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1566ad81bae3d714cc9e0d47575a8cbd.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1b9f85316170cfe24b46330afa8517d5.png b/windows/security/threat-protection/microsoft-defender-atp/images/1b9f85316170cfe24b46330afa8517d5.png
new file mode 100644
index 0000000000..dd1e768536
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1b9f85316170cfe24b46330afa8517d5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1c3795a91872940f0850bcd1619d6d17.png b/windows/security/threat-protection/microsoft-defender-atp/images/1c3795a91872940f0850bcd1619d6d17.png
new file mode 100644
index 0000000000..c15c6bfbd5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1c3795a91872940f0850bcd1619d6d17.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1e439168370e6821083f2c0e91cfabef.png b/windows/security/threat-protection/microsoft-defender-atp/images/1e439168370e6821083f2c0e91cfabef.png
new file mode 100644
index 0000000000..ce5171fa8b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1e439168370e6821083f2c0e91cfabef.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2177e2b9b72a444243acd770e7017457.png b/windows/security/threat-protection/microsoft-defender-atp/images/2177e2b9b72a444243acd770e7017457.png
new file mode 100644
index 0000000000..db6b6881f4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2177e2b9b72a444243acd770e7017457.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/227f249bcb6e7f29c4d43aa1ffaccd20.png b/windows/security/threat-protection/microsoft-defender-atp/images/227f249bcb6e7f29c4d43aa1ffaccd20.png
new file mode 100644
index 0000000000..2576c45c77
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/227f249bcb6e7f29c4d43aa1ffaccd20.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/24bfb16ed561cbb468bd8ce51130ca9d.png b/windows/security/threat-protection/microsoft-defender-atp/images/24bfb16ed561cbb468bd8ce51130ca9d.png
new file mode 100644
index 0000000000..ccba2cefda
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/24bfb16ed561cbb468bd8ce51130ca9d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/262a41839704d6da2bbd72ed6b4a826a.png b/windows/security/threat-protection/microsoft-defender-atp/images/262a41839704d6da2bbd72ed6b4a826a.png
new file mode 100644
index 0000000000..d9e4d196b0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/262a41839704d6da2bbd72ed6b4a826a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/26efa2711bca78f6b6d73712f86b5bd9.png b/windows/security/threat-protection/microsoft-defender-atp/images/26efa2711bca78f6b6d73712f86b5bd9.png
new file mode 100644
index 0000000000..79fb39ee6c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/26efa2711bca78f6b6d73712f86b5bd9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2c7f9d05a2ebd19607cc76b6933b945b.png b/windows/security/threat-protection/microsoft-defender-atp/images/2c7f9d05a2ebd19607cc76b6933b945b.png
new file mode 100644
index 0000000000..9418fb64f3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2c7f9d05a2ebd19607cc76b6933b945b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/33f08a38f2f4dd12a364f8eac95e8c6b.png b/windows/security/threat-protection/microsoft-defender-atp/images/33f08a38f2f4dd12a364f8eac95e8c6b.png
new file mode 100644
index 0000000000..52392e9097
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/33f08a38f2f4dd12a364f8eac95e8c6b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/36c7c2ed737f2f4b54918a4f20791d4b.png b/windows/security/threat-protection/microsoft-defender-atp/images/36c7c2ed737f2f4b54918a4f20791d4b.png
new file mode 100644
index 0000000000..a6947f5624
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/36c7c2ed737f2f4b54918a4f20791d4b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3876ca687391bfc0ce215d221c683970.png b/windows/security/threat-protection/microsoft-defender-atp/images/3876ca687391bfc0ce215d221c683970.png
new file mode 100644
index 0000000000..786273e269
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3876ca687391bfc0ce215d221c683970.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3a01c7970ce3ec977a35883c0a01f0a2.png b/windows/security/threat-protection/microsoft-defender-atp/images/3a01c7970ce3ec977a35883c0a01f0a2.png
new file mode 100644
index 0000000000..20f45112fc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3a01c7970ce3ec977a35883c0a01f0a2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3c1cf2e3df19509b198c084f264b410d.png b/windows/security/threat-protection/microsoft-defender-atp/images/3c1cf2e3df19509b198c084f264b410d.png
new file mode 100644
index 0000000000..b5a56d8ff7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3c1cf2e3df19509b198c084f264b410d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/41b9a023bc96364062c2041a8f5c344e.png b/windows/security/threat-protection/microsoft-defender-atp/images/41b9a023bc96364062c2041a8f5c344e.png
new file mode 100644
index 0000000000..85a0cce645
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/41b9a023bc96364062c2041a8f5c344e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4a37f3687e6ff53a593d3670b1dad3aa.png b/windows/security/threat-protection/microsoft-defender-atp/images/4a37f3687e6ff53a593d3670b1dad3aa.png
new file mode 100644
index 0000000000..6aefd54b7b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4a37f3687e6ff53a593d3670b1dad3aa.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5420a8790c550f39f189830775a6d4c9.png b/windows/security/threat-protection/microsoft-defender-atp/images/5420a8790c550f39f189830775a6d4c9.png
new file mode 100644
index 0000000000..3222b68426
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5420a8790c550f39f189830775a6d4c9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/653db482c7ccaf31d06f29fb2aa24b7a.png b/windows/security/threat-protection/microsoft-defender-atp/images/653db482c7ccaf31d06f29fb2aa24b7a.png
new file mode 100644
index 0000000000..c38fa668f8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/653db482c7ccaf31d06f29fb2aa24b7a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6d325a2f9a638337823e03ad5ca08651.png b/windows/security/threat-protection/microsoft-defender-atp/images/6d325a2f9a638337823e03ad5ca08651.png
new file mode 100644
index 0000000000..280bd8fe5a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6d325a2f9a638337823e03ad5ca08651.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/728c10ef26042bbdbcd270b6343f1a8a.png b/windows/security/threat-protection/microsoft-defender-atp/images/728c10ef26042bbdbcd270b6343f1a8a.png
new file mode 100644
index 0000000000..6004368075
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/728c10ef26042bbdbcd270b6343f1a8a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/80db725cdf6502f4579b7513e5e8ecd4.png b/windows/security/threat-protection/microsoft-defender-atp/images/80db725cdf6502f4579b7513e5e8ecd4.png
new file mode 100644
index 0000000000..982987eecc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/80db725cdf6502f4579b7513e5e8ecd4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8999dd697e3b495c04eb911f8b68a1ef.png b/windows/security/threat-protection/microsoft-defender-atp/images/8999dd697e3b495c04eb911f8b68a1ef.png
new file mode 100644
index 0000000000..d44ef55ea4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8999dd697e3b495c04eb911f8b68a1ef.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/91b738e4b97c4272fd6d438d8c2d5269.png b/windows/security/threat-protection/microsoft-defender-atp/images/91b738e4b97c4272fd6d438d8c2d5269.png
new file mode 100644
index 0000000000..04e48619f5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/91b738e4b97c4272fd6d438d8c2d5269.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png
new file mode 100644
index 0000000000..7635b49f3e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/95d23a07c2c8bc79176788f28cef7557.png b/windows/security/threat-protection/microsoft-defender-atp/images/95d23a07c2c8bc79176788f28cef7557.png
new file mode 100644
index 0000000000..8e07f27524
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/95d23a07c2c8bc79176788f28cef7557.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9736e0358e86bc778ce1bd4c516adb8b.png b/windows/security/threat-protection/microsoft-defender-atp/images/9736e0358e86bc778ce1bd4c516adb8b.png
new file mode 100644
index 0000000000..a205159bcc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9736e0358e86bc778ce1bd4c516adb8b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a22081b675da83e8f62a046ae6922b0d.png b/windows/security/threat-protection/microsoft-defender-atp/images/a22081b675da83e8f62a046ae6922b0d.png
new file mode 100644
index 0000000000..ea76ada5b0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a22081b675da83e8f62a046ae6922b0d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a28afc02c1940d5220b233640364970c.png b/windows/security/threat-protection/microsoft-defender-atp/images/a28afc02c1940d5220b233640364970c.png
new file mode 100644
index 0000000000..ed201870fc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a28afc02c1940d5220b233640364970c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a8b934dab2dbba289cf64fe30e0e8aa4.png b/windows/security/threat-protection/microsoft-defender-atp/images/a8b934dab2dbba289cf64fe30e0e8aa4.png
new file mode 100644
index 0000000000..c37385be18
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a8b934dab2dbba289cf64fe30e0e8aa4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png b/windows/security/threat-protection/microsoft-defender-atp/images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png
new file mode 100644
index 0000000000..cce824fab2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/adc17988b0984ca2aa3ff8f41ddacaf9.png b/windows/security/threat-protection/microsoft-defender-atp/images/adc17988b0984ca2aa3ff8f41ddacaf9.png
new file mode 100644
index 0000000000..82dee6a0cc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/adc17988b0984ca2aa3ff8f41ddacaf9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c039b2e05dba1ade6fb4512456380c9f.png b/windows/security/threat-protection/microsoft-defender-atp/images/c039b2e05dba1ade6fb4512456380c9f.png
new file mode 100644
index 0000000000..d829f21d90
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c039b2e05dba1ade6fb4512456380c9f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cd7daeb392ad5a36f2d3a15d650f1e96.png b/windows/security/threat-protection/microsoft-defender-atp/images/cd7daeb392ad5a36f2d3a15d650f1e96.png
new file mode 100644
index 0000000000..94c9207f1e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cd7daeb392ad5a36f2d3a15d650f1e96.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cf5f3aa9ab4dafc99cac2571e9fba84e.png b/windows/security/threat-protection/microsoft-defender-atp/images/cf5f3aa9ab4dafc99cac2571e9fba84e.png
new file mode 100644
index 0000000000..a730ac1438
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cf5f3aa9ab4dafc99cac2571e9fba84e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/d18e40c9e60aecf1f9a93065cb7567bd.png b/windows/security/threat-protection/microsoft-defender-atp/images/d18e40c9e60aecf1f9a93065cb7567bd.png
new file mode 100644
index 0000000000..51953de984
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/d18e40c9e60aecf1f9a93065cb7567bd.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e156a7ef87ea6472d57a3dc594bf08c2.png b/windows/security/threat-protection/microsoft-defender-atp/images/e156a7ef87ea6472d57a3dc594bf08c2.png
new file mode 100644
index 0000000000..36d62a08a7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e156a7ef87ea6472d57a3dc594bf08c2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/f5508317cd8c7870627cb4726acd5f3d.png b/windows/security/threat-protection/microsoft-defender-atp/images/f5508317cd8c7870627cb4726acd5f3d.png
new file mode 100644
index 0000000000..b900487c3e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/f5508317cd8c7870627cb4726acd5f3d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/f91f406e6e0aae197a947d3b0e8b2d0d.png b/windows/security/threat-protection/microsoft-defender-atp/images/f91f406e6e0aae197a947d3b0e8b2d0d.png
new file mode 100644
index 0000000000..37a9e5ac2e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/f91f406e6e0aae197a947d3b0e8b2d0d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png
new file mode 100644
index 0000000000..6d49c8b659
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png
new file mode 100644
index 0000000000..39b714cdd4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-platform.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-platform.png
new file mode 100644
index 0000000000..ad86ffd4aa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-platform.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-addrule.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-addrule.png
new file mode 100644
index 0000000000..ecef165279
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-addrule.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png
new file mode 100644
index 0000000000..fe2925eca1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-confirm.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png
new file mode 100644
index 0000000000..7e23f6385d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-device-collection.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png
new file mode 100644
index 0000000000..92acd79c2f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-create-policy.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png
new file mode 100644
index 0000000000..42c18d2b1c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-criteria.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png
new file mode 100644
index 0000000000..fd3d91a008
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png
new file mode 100644
index 0000000000..cac48b7605
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-direct-membership.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png
new file mode 100644
index 0000000000..37fa96777b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-limiting-collection.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png
new file mode 100644
index 0000000000..22b6b6419e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-membership-rules.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png
new file mode 100644
index 0000000000..d1987ab4cb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-policy-name.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png
new file mode 100644
index 0000000000..ecef165279
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-query-rule.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png
new file mode 100644
index 0000000000..78d20dc4ee
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-simple-value.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category.png
new file mode 100644
index 0000000000..8c4e86272a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category600.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category600.png
new file mode 100644
index 0000000000..d01215dee9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category600.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-summary.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-summary.png
new file mode 100644
index 0000000000..d9fc4ed73a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-summary.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-content-filtering-summary.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-content-filtering-summary.png
new file mode 100644
index 0000000000..c6c86c4c3b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-content-filtering-summary.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-report-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-report-details.png
new file mode 100644
index 0000000000..bba1d35a38
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-report-details.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-reports.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-reports.png
new file mode 100644
index 0000000000..58fd253994
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-reports.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-protection.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection.png
new file mode 100644
index 0000000000..7b47ead343
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
index 755dafb1e4..297de5d17d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
@@ -68,7 +68,7 @@ The **Alert process tree** takes alert triage and investigation to the next leve
The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation.
>[!NOTE]
->The alert process tree might not be available in some alerts.
+>The alert process tree might not show for some alerts, including alerts not triggered directly by process activity.
Clicking in the circle immediately to the left of the indicator displays its details.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
index 4e7758c7da..88ac0b8be9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
@@ -44,7 +44,7 @@ If you turn network protection off, users or apps will not be blocked from conne
If you do not configure it, network blocking will be turned off by default.
-For more information, see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection).
+For more information, see [Enable network protection](enable-network-protection.md).
## Investigation impact
When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing the proxy, while the real target address shows up.
@@ -86,4 +86,3 @@ DeviceNetworkEvents
## Related topics
- [Applying network protection with GP - policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
-- [Protect your network](https://docs.microsoft.comwindows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
index 3003c707b4..ddd34985a3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@@ -119,11 +119,11 @@ The following commands are available for user roles that's been granted the abil
Command | Description
:---|:---
analyze | Analyses the entity with various incrimination engines to reach a verdict.
-getfile | Gets a file from the machine. NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `getfile` to automatically run the prerequisite command.
+getfile | Gets a file from the machine. NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command.
run | Runs a PowerShell script from the library on the machine.
library | Lists files that were uploaded to the live response library.
putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default.
-remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type: - File: delete - Process: stop, delete image file - Service: stop, delete image file - Registry entry: delete - Scheduled task: remove - Startup folder item: delete file NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `remediate` to automatically run the prerequisite command.
+remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type: - File: delete - Process: stop, delete image file - Service: stop, delete image file - Registry entry: delete - Scheduled task: remove - Startup folder item: delete file NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command.
undo | Restores an entity that was remediated.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index 85deccc918..315ec0f230 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -80,6 +80,18 @@ Specify whether the antivirus engine runs in passive mode. Passive mode has the
| **Possible values** | false (default) true |
| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. |
+#### Exclusion merge policy
+
+Specify the merge policy for exclusions. This can be a combination of administrator-defined and user-defined exclusions (`merge`) or only administrator-defined exclusions (`admin_only`). This setting can be used to restrict local users from defining their own exclusions.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | exclusionsMergePolicy |
+| **Data type** | String |
+| **Possible values** | merge (default) admin_only |
+| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+
#### Scan exclusions
Specify entities excluded from being scanned. Exclusions can be specified by full paths, extensions, or file names.
@@ -138,9 +150,9 @@ Specify content excluded from being scanned by file extension.
| **Possible values** | valid file extensions |
| **Comments** | Applicable only if *$type* is *excludedFileExtension* |
-##### Name of excluded content
+##### Process excluded from the scan
-Specify content excluded from being scanned by file name.
+Specify a process for which all file activity is excluded from scanning. The process can be specified either by its name (e.g. `cat`) or full path (e.g. `/bin/cat`).
|||
|:---|:---|
@@ -160,6 +172,18 @@ Specify threats by name that are not blocked by Microsoft Defender ATP for Mac.
| **Key** | allowedThreats |
| **Data type** | Array of strings |
+#### Disallowed threat actions
+
+Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | disallowedThreatActions |
+| **Data type** | Array of strings |
+| **Possible values** | allow (restricts users from allowing threats) restore (restricts users from restoring threats from the quarantine) |
+| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+
#### Threat type settings
Specify how certain threat types are handled by Microsoft Defender ATP for Mac.
@@ -197,6 +221,18 @@ Specify what action to take when a threat of the type specified in the preceding
| **Data type** | String |
| **Possible values** | audit (default) block off |
+#### Threat type settings merge policy
+
+Specify the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (`merge`) or only administrator-defined settings (`admin_only`). This setting can be used to restrict local users from defining their own settings for different threat types.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | threatTypeSettingsMergePolicy |
+| **Data type** | String |
+| **Possible values** | merge (default) admin_only |
+| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+
### Cloud-delivered protection preferences
Configure the cloud-driven protection features of Microsoft Defender ATP for Mac.
@@ -371,6 +407,10 @@ The following configuration profile will:
### Intune profile
```XML
+
+
+
+ PayloadUUIDC4E6A782-0C8D-44AB-A025-EB893987A295PayloadType
@@ -439,6 +479,8 @@ The following configuration profile will:
+
+
```
## Full configuration profile example
@@ -482,11 +524,24 @@ The following configuration profile contains entries for all settings described
extensionpdf
+
+ $type
+ excludedFileName
+ name
+ cat
+
+ exclusionsMergePolicy
+ mergeallowedThreatsEICAR-Test-File (not a virus)
+ disallowedThreatActions
+
+ allow
+ restore
+ threatTypeSettings
@@ -502,6 +557,8 @@ The following configuration profile contains entries for all settings described
audit
+ threatTypeSettingsMergePolicy
+ mergecloudService
@@ -593,11 +650,24 @@ The following configuration profile contains entries for all settings described
extensionpdf
+
+ $type
+ excludedFileName
+ name
+ cat
+
+ exclusionsMergePolicy
+ mergeallowedThreatsEICAR-Test-File (not a virus)
+ disallowedThreatActions
+
+ allow
+ restore
+ threatTypeSettings
@@ -613,6 +683,8 @@ The following configuration profile contains entries for all settings described
audit
+ threatTypeSettingsMergePolicy
+ mergecloudService
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 43323ca96d..34df1f32fc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -19,6 +19,12 @@ ms.topic: conceptual
# What's new in Microsoft Defender Advanced Threat Protection for Mac
+## 100.83.73
+
+- Added more controls for IT administrators around [management of exclusions](mac-preferences.md#exclusion-merge-policy), [management of threat type settings](mac-preferences.md#threat-type-settings-merge-policy), and [disallowed threat actions](mac-preferences.md#disallowed-threat-actions)
+- When Full Disk Access is not enabled on the device, a warning is now displayed in the status menu
+- Performance improvements & bug fixes
+
## 100.82.60
- Addressed an issue where the product fails to start following a definition update.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index 4edb6f1e70..a38094be67 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -22,6 +22,7 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+[!include[Prerelease information](../../includes/prerelease.md)]
## Methods
Method|Return Type |Description
@@ -30,6 +31,9 @@ Method|Return Type |Description
[Get machine](get-machine-by-id.md) | [machine](machine.md) | Get a [machine](machine.md) by its identity.
[Get logged on users](get-machine-log-on-users.md) | [user](user.md) collection | Get the set of [User](user.md) that logged on to the [machine](machine.md).
[Get related alerts](get-machine-related-alerts.md) | [alert](alerts.md) collection | Get the set of [alert](alerts.md) entities that were raised on the [machine](machine.md).
+[Get installed software](get-installed-software.md) | [software](software.md) collection | Retrieves a collection of installed software related to a given machine ID.
+[Get discovered vulnerabilities](get-discovered-vulnerabilities.md) | [vulnerability](vulnerability.md) collection | Retrieves a collection of discovered vulnerabilities related to a given machine ID.
+[Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID.
[Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
[Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
@@ -52,29 +56,4 @@ riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. P
exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is Aad Joined).
machineTags | String collection | Set of [machine](machine.md) tags.
-
-
-## Json representation
-
-```json
-{
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
- "osPlatform": "Windows10",
- "version": "1709",
- "osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "Active",
- "rbacGroupId": 140,
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "test tag 2" ]
-}
-```
\ No newline at end of file
+exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index 9614834d72..32343d94bd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -35,7 +35,7 @@ You can use the following operations to customize the list of automated investig
**Triggering alert**
-The alert the initiated the automated investigation.
+The alert that initiated the automated investigation.
**Status**
An automated investigation can be in one of the following status:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index ed62718fa4..be8b72641f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -78,7 +78,6 @@ It's important to understand the following prerequisites prior to creating indic
>[!IMPORTANT]
>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action
>- Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.
->- The PE file needs to be in the machine timeline for you to be able to take this action.
>[!NOTE]
@@ -123,6 +122,11 @@ It's important to understand the following prerequisites prior to creating indic
>[!IMPORTANT]
> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
+> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages Network Protection (link) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS):
+> NOTE:
+>- IP is supported for all three protocols
+>- Encrypted URLs can only be blocked on first party browsers
+>- Full URL path blocks can be applied on the domain level and all unencrypted URLs
>[!NOTE]
>There may be up to 2 hours latency (usually less) between the time the action is taken, and the URL and IP being blocked.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
index e23db78609..f838be1390 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
@@ -31,7 +31,7 @@ Acknowledging that customer environments and structures can vary, Microsoft Defe
## Endpoint onboarding and portal access
-Machine onboarding is fully integrated into System Center Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for machines management.
+Machine onboarding is fully integrated into Microsoft Endpoint Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for machines management.
Microsoft Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure:
- Globally distributed organizations and security teams
@@ -50,7 +50,6 @@ The Microsoft Defender ATP APIs can be grouped into three:
- Raw data streaming API
- SIEM integration
-
## Microsoft Defender ATP APIs
Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form.
@@ -70,10 +69,8 @@ For more information see, [Raw data streaming API](raw-data-export.md).
## SIEM API
When you enable security information and event management (SIEM) integration it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. For more information see, [SIEM integration](enable-siem-integration.md)
-
## Related topics
- [Access the Microsoft Defender Advanced Threat Protection APIs ](apis-intro.md)
- [Supported APIs](exposed-apis-list.md)
- [Technical partner opportunities](partner-integration.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index b2c1bdcbf9..5c52a93ff5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -1,6 +1,6 @@
---
title: Minimum requirements for Microsoft Defender ATP
-description: Understand the licensing requirements and requirements for onboarding machines to the sercvie
+description: Understand the licensing requirements and requirements for onboarding machines to the service
keywords: minimum requirements, licensing, comparison table
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -183,7 +183,7 @@ For more information, see [Windows Defender Antivirus compatibility](../windows-
## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Microsoft Defender ATP agent will successfully onboard.
-If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
+If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 98d455063a..3da4badfe6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -30,12 +30,12 @@ It helps organizations discover vulnerabilities and misconfigurations in real-ti
## Next-generation capabilities
Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.
-It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
+It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft Microsoft Endpoint Configuration Manager.
It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication.
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery
-- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
+- Built-in remediation processes through Microsoft Intune and Configuration Manager
### Real-time discovery
@@ -55,7 +55,7 @@ Threat & Vulnerability Management helps customers prioritize and focus on those
### Seamless remediation
Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
-- Remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
+- Remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
@@ -70,3 +70,8 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
index 7d9e52a115..ea9ee7efc8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
@@ -34,7 +34,7 @@ Follow the corresponding instructions depending on your preferred deployment met
## Offboard Windows 10 machines
- [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script)
- [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy)
-- [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager)
+- [Offboard machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager)
- [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools)
## Offboard Servers
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index f67f450978..1247c43078 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -31,7 +31,8 @@ Reduce your attack surfaces by minimizing the places where your organization is
|[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. |
|[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. |
|[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. |
-|[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) |
+|[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) |
+|[Web protection](./web-protection-overview.md) |Secure your machines against web threats and help you regulate unwanted content.
|[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) |
|[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) |
|[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
new file mode 100644
index 0000000000..60c0833058
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -0,0 +1,162 @@
+---
+title: Prepare Microsoft Defender ATP deployment
+description: Prepare stakeholder sign-off, timelines, environment considerations, and adoption order when deploying Microsoft Defender ATP
+keywords: deploy, prepare, stakeholder, timeline, environment, endpoint, server, management, adoption
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Prepare Microsoft Defender ATP deployment
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Stakeholders and Sign-off
+The following section serves to identify all the stakeholders that are involved
+in this project and need to sign-off, review, or stay informed. Add stakeholders
+to the table below as appropriate for your organization.
+
+- SO = Sign-off on this project
+
+- R = Review this project and provide input
+
+- I = Informed of this project
+
+| Name | Role | Action |
+|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|
+| Enter name and email | **Chief Information Security Officer (CISO)** *An executive representative who serves as sponsor inside the organization for the new technology deployment.* | SO |
+| Enter name and email | **Head of Cyber Defense Operations Center (CDOC)** *A representative from the CDOC team in charge of defining how this change is aligned with the processes in the customers security operations team.* | SO |
+| Enter name and email | **Security Architect** *A representative from the Security team in charge of defining how this change is aligned with the core Security architecture in the organization.* | R |
+| Enter name and email | **Workplace Architect** *A representative from the IT team in charge of defining how this change is aligned with the core workplace architecture in the organization.* | R |
+| Enter name and email | **Security Analyst** *A representative from the CDOC team who can provide input on the detection capabilities, user experience and overall usefulness of this change from a security operations perspective.* | I |
+
+## Project Management
+
+### In Scope
+
+The following is in scope for this project:
+
+- Enabling Microsoft Defender ATP endpoint protection platform (EPP)
+ capabilities
+
+ - Next Generation Protection
+
+ - Attack Surface Reduction
+
+- Enabling Microsoft Defender ATP endpoint detection and response (EDR)
+ capabilities including automatic investigation and remediation
+
+- Enabling Microsoft Defender ATP threat and vulnerability management (TVM)
+- Use of System Center Configuration Manager to onboard endpoints into the service.
+
+### Out of scope
+
+The following are out of scope of this project:
+
+- Configuration of third-party solutions that might integrate with Microsoft
+ Defender ATP.
+
+- Penetration testing in production environment.
+
+## Environment
+
+
+This section is used to ensure your environment is deeply understood by the
+stakeholders which will help identify potential dependencies and/or changes
+required in technologies or processes.
+
+| What | Description |
+|---------------------------------------|-------------|
+| Endpoint count | |
+| Server count | |
+| Management engine | |
+| CDOC distribution | |
+| Security information and event (SIEM) | |
+
+
+## Role-based access control
+
+Microsoft recommends using the concept of least privileges. Microsoft Defender
+ATP leverages built-in roles within Azure Active Directory. Microsoft recommend
+[review the different roles that are
+available](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles-azure-portal)
+and choose the right one to solve your needs for each persona for this
+application. Some roles may need to be applied temporarily and removed after the
+deployment has been completed.
+
+| Personas | Roles | Azure AD Role (if required) | Assign to |
+|------------------------------|-------|-----------------------------|-----------|
+| Security Administrator | | | |
+| Security Analyst | | | |
+| Endpoint Administrator | | | |
+| Infrastructure Administrator | | | |
+| Business Owner/Stakeholder | | | |
+
+Microsoft recommends using [Privileged Identity
+Management](https://docs.microsoft.com/azure/active-directory/active-directory-privileged-identity-management-configure)
+to manage your roles to provide additional auditing, control, and access review
+for users with directory permissions.
+
+Microsoft Defender ATP supports two ways to manage permissions:
+
+- **Basic permissions management**: Set permissions to either full access or
+ read-only. In the case of basic permissions management users with Global
+ Administrator or Security Administrator role in Azure Active Directory have
+ full access while the Security reader role has read-only access.
+
+- **Role-based access control (RBAC)**: Set granular permissions by defining
+ roles, assigning Azure AD user groups to the roles, and granting the user
+ groups access to machine groups. For more information. see [Manage portal access using role-based access control](rbac.md).
+
+Microsoft recommends leveraging RBAC to ensure that only users that have a
+business justification can access Microsoft Defender ATP.
+
+You can find details on permission guidelines
+[here](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group).
+
+The following example table serves to identify the Cyber Defense Operations
+Center structure in your environment that will help you determine the RBAC
+structure required for your environment.
+
+| Tier | Description | Permission Required |
+|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
+| Tier 1 | **Local security operations team / IT team** This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required. | |
+| Tier 2 | **Regional security operations team** This team can see all the machines for their region and perform remediation actions. | View data |
+| Tier 3 | **Global security operations team** This team consists of security experts and are authorized to see and perform all actions from the portal. | View data Alerts investigation Active remediation actions Alerts investigation Active remediation actions Manage portal system settings Manage security settings |
+
+
+
+## Adoption Order
+In many cases organizations will have existing endpoint security products in
+place. The bare minimum every organization should have is an antivirus solution. But in some cases an organization might also already implanted an EDR solution.
+Historically, replacing any security solution was time intensive and difficult
+to achieve due to the tight hooks into the application layer and infrastructure
+dependencies. However, because Microsoft Defender ATP is built into the
+operating system, replacing third-party solutions is easy to achieve.
+
+Choose which component of Microsoft Defender ATP to be used and remove the ones
+that do not apply. The table below indicates the Microsoft recommendation on the
+order on how the endpoint security suite should be enabled.
+
+| Component | Description | Adoption Order Rank |
+|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
+| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
+| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Windows Defender Antivirus includes: | 2 |
+| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 3 |
+| Threat & Vulnerability Management (TVM) | Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: | 4 |
+| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
+| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
+
+## Related topic
+- [Production deployment](production-deployment.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index b02f8e485d..4cde145e4c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -43,6 +43,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
+- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list) Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information.
+
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/product-brief.md b/windows/security/threat-protection/microsoft-defender-atp/product-brief.md
new file mode 100644
index 0000000000..2a83d109de
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/product-brief.md
@@ -0,0 +1,74 @@
+---
+title: Microsoft Defender Advanced Threat Protection product brief
+description: Learn about the Microsoft Defender Advanced Threat Protection capabilities and licensing requirements
+keywords: Microsoft Defender Security Center, product brief, brief, capabilities, licensing
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Microsoft Defender Advanced Threat Protection product brief
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+Microsoft Defender ATP is a platform designed to
+help enterprise networks prevent, detect, investigate, and respond to advanced
+threats.
+
+
+
+## Platform capabilities
+
+Capability | Description
+:---|:---
+**Threat and Vulnerability Management** | This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
+**Attack Surface Reduction** | The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
+**Next Generation Protection** | To further reinforce the security perimeter of the organizations network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
+**Endpoint Detection & Response** | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
+**Auto Investigation & Remediation** | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
+**Microsoft Threat Experts** | Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
+**Secure Score** | Microsoft Defender ATP includes a secure score to help dynamically assess the security state of the enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of the organization.
+ **Advance Hunting** | Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in the organization.
+**Management and API** | Integrate Microsoft Defender Advanced Threat Protection into existing workflows.
+ **Microsoft Threat Protection** | Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to the organization. | |
+
+Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
+
+- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
+ collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP.
+
+
+- **Cloud security analytics**: Leveraging big-data, machine-learning, and
+ unique Microsoft optics across the Windows ecosystem,
+ enterprise cloud products (such as Office 365), and online assets, behavioral signals
+ are translated into insights, detections, and recommended responses
+ to advanced threats.
+
+- **Threat intelligence**: Generated by Microsoft hunters, security teams,
+ and augmented by threat intelligence provided by partners, threat
+ intelligence enables Microsoft Defender ATP to identify attacker
+ tools, techniques, and procedures, and generate alerts when these
+ are observed in collected sensor data.
+
+## Licensing requirements
+Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
+
+- Windows 10 Enterprise E5
+- Windows 10 Education A5
+- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
+- Microsoft 365 A5 (M365 A5)
+
+## Related topic
+- [Prepare deployment](prepare-deployment.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
new file mode 100644
index 0000000000..4e93583820
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -0,0 +1,602 @@
+---
+title: Microsoft Defender ATP production deployment
+description:
+keywords:
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Microsoft Defender ATP production deployment
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Proper planning is the foundation of a successful deployment. In this deployment scenario, you'll be guided through the steps on:
+- Tenant configuration
+- Network configuration
+- Onboarding using System Center Configuration Manager
+- Endpoint detection and response
+- Next generation protection
+- Attack surface reduction
+
+>[!NOTE]
+>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of System Center Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
+
+## Tenant Configuration
+
+When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client machine.
+
+1. From a web browser, navigate to .
+
+ 
+
+2. If going through a TRIAL license, go to the link ()
+
+ Once the authorization step is completed, the **Welcome** screen will be displayed.
+3. Go through the authorization steps.
+
+ 
+
+4. Set up preferences.
+
+ **Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU or UK. You cannot change the location after this setup and Microsoft will not transfer the data from the specified geolocation.
+
+ **Data retention** - The default is 6 months.
+
+ **Enable preview features** - The default is on, can be changed later.
+
+ 
+
+5. Select **Next**.
+
+ 
+
+6. Select **Continue**.
+
+
+## Network configuration
+If the organization does not require the endpoints to use a Proxy to access the
+Internet, skip this section.
+
+The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to
+report sensor data and communicate with the Microsoft Defender ATP service. The
+embedded Microsoft Defender ATP sensor runs in the system context using the
+LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP)
+to enable communication with the Microsoft Defender ATP cloud service. The
+WinHTTP configuration setting is independent of the Windows Internet (WinINet)
+internet browsing proxy settings and can only discover a proxy server by using
+the following discovery methods:
+
+**Auto-discovery methods:**
+
+- Transparent proxy
+
+- Web Proxy Auto-discovery Protocol (WPAD)
+
+If a Transparent proxy or WPAD has been implemented in the network topology,
+there is no need for special configuration settings. For more information on
+Microsoft Defender ATP URL exclusions in the proxy, see the
+Appendix section in this document for the URLs Whitelisting or on
+[Microsoft
+Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server).
+
+**Manual static proxy configuration:**
+
+- Registry based configuration
+
+- WinHTTP configured using netsh command Suitable only for desktops in a
+ stable topology (for example: a desktop in a corporate network behind the
+ same proxy)
+
+### Configure the proxy server manually using a registry-based static proxy
+
+Configure a registry-based static proxy to allow only Microsoft Defender ATP
+sensor to report diagnostic data and communicate with Microsoft Defender ATP
+services if a computer is not permitted to connect to the Internet. The static
+proxy is configurable through Group Policy (GP). The group policy can be found
+under:
+
+- Administrative Templates \> Windows Components \> Data Collection and
+ Preview Builds \> Configure Authenticated Proxy usage for the Connected User
+ Experience and Telemetry Service
+
+ - Set it to **Enabled** and select**Disable Authenticated Proxy usage**
+
+1. Open the Group Policy Management Console.
+2. Create a policy or edit an existing policy based off the organizational practices.
+3. Edit the Group Policy and navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**.
+ 
+
+4. Select **Enabled**.
+5. Select **Disable Authenticated Proxy usage**.
+
+6. Navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure connected user experiences and telemetry**.
+ 
+7. Select **Enabled**.
+8. Enter the **Proxy Server Name**.
+
+The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
+
+The registry value `TelemetryProxyServer` takes the following string format:
+
+```text
+:
+```
+
+For example: 10.0.0.6:8080
+
+The registry value `DisableEnterpriseAuthProxy` should be set to 1.
+
+### Configure the proxy server manually using netsh command
+
+Use netsh to configure a system-wide static proxy.
+
+> [!NOTE]
+> - This will affect all applications including Windows services which use WinHTTP with default proxy.
+> - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
+
+1. Open an elevated command-line:
+
+ a. Go to **Start** and type **cmd**.
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command and press **Enter**:
+
+ ```PowerShell
+ netsh winhttp set proxy :
+ ```
+
+ For example: netsh winhttp set proxy 10.0.0.6:8080
+
+
+### Proxy Configuration for down-level machines
+
+Down-Level machines include Windows 7 SP1 and Windows 8.1 workstations as well
+as Windows Server 2008 R2, Windows Sever 2012, Windows Server 2012 R2, and
+versions of Windows Server 2016 prior to Windows Server CB 1803. These operating
+systems will have the proxy configured as part of the Microsoft Management Agent
+to handle communication from the endpoint to Azure. Refer to the
+Microsoft Management Agent Fast Deployment Guide for information on how a proxy
+is configured on these machines.
+
+### Proxy Service URLs
+URLs that include v20 in them are only needed if you have Windows 10, version
+1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only
+needed if the machine is on Windows 10, version 1803 or later.
+
+ Service location | Microsoft.com DNS record
+-|-
+Common URLs for all locations | ```crl.microsoft.com``` ```ctldl.windowsupdate.com``` ```events.data.microsoft.com``` ```notify.windows.com``` ```settings-win.data.microsoft.com```
+European Union | ```eu.vortex-win.data.microsoft.com``` ```eu-v20.events.data.microsoft.com``` ```usseu1northprod.blob.core.windows.net``` ```usseu1westprod.blob.core.windows.net``` ```winatp-gw-neu.microsoft.com``` ```winatp-gw-weu.microsoft.com``` ```wseu1northprod.blob.core.windows.net``` ```wseu1westprod.blob.core.windows.net```
+United Kingdom | ```uk.vortex-win.data.microsoft.com``` ```uk-v20.events.data.microsoft.com``` ```ussuk1southprod.blob.core.windows.net``` ```ussuk1westprod.blob.core.windows.net``` ```winatp-gw-uks.microsoft.com``` ```winatp-gw-ukw.microsoft.com``` ```wsuk1southprod.blob.core.windows.net``` ```wsuk1westprod.blob.core.windows.net```
+United States | ```us.vortex-win.data.microsoft.com``` ```ussus1eastprod.blob.core.windows.net``` ```ussus1westprod.blob.core.windows.net``` ```ussus2eastprod.blob.core.windows.net``` ```ussus2westprod.blob.core.windows.net``` ```ussus3eastprod.blob.core.windows.net``` ```ussus3westprod.blob.core.windows.net``` ```ussus4eastprod.blob.core.windows.net``` ```ussus4westprod.blob.core.windows.net``` ```us-v20.events.data.microsoft.com``` ```winatp-gw-cus.microsoft.com``` ```winatp-gw-eus.microsoft.com``` ```wsus1eastprod.blob.core.windows.net``` ```wsus1westprod.blob.core.windows.net``` ```wsus2eastprod.blob.core.windows.net``` ```wsus2westprod.blob.core.windows.net```
+
+
+If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
+
+### Microsoft Defender ATP service backend IP range
+
+If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
+
+Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
+
+- \+\
+- \+\
+- \+\
+- \+\
+- \+\
+- \+\
+- \+\
+
+You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
+
+> [!NOTE]
+> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
+
+## Onboarding using System Center Configuration Manager
+### Collection creation
+To onboard Windows 10 devices with System Center Configuration Manager, the
+deployment can target either and existing collection or a new collection can be
+created for testing. The onboarding like group policy or manual method does
+not install any agent on the system. Within the Configuration Manager console
+the onboarding process will be configured as part of the compliance settings
+within the console. Any system that receives this required configuration will
+maintain that configuration for as long as the Configuration Manager client
+continues to receive this policy from the management point. Follow the steps
+below to onboard systems with Configuration Manager.
+
+1. In System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
+
+ 
+
+2. Right Click **Device Collection** and select **Create Device Collection**.
+
+ 
+
+3. Provide a **Name** and **Limiting Collection**, then select **Next**.
+
+ 
+
+4. Select **Add Rule** and choose **Query Rule**.
+
+ 
+
+5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
+
+ 
+
+6. Select **Criteria** and then choose the star icon.
+
+ 
+
+7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**.
+
+ 
+
+8. Select **Next** and **Close**.
+
+ 
+
+9. Select **Next**.
+
+ 
+
+After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
+
+## Endpoint detection and response
+### Windows 10
+From within the Microsoft Defender Security Center it is possible to download
+the '.onboarding' policy that can be used to create the policy in System Center Configuration
+Manager and deploy that policy to Windows 10 devices.
+
+1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
+
+
+
+2. Under Deployment method select the supported version of **System Center Configuration Manager**.
+
+ 
+
+3. Select **Download package**.
+
+ 
+
+4. Save the package to an accessible location.
+5. In System Center Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
+
+6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
+
+ 
+
+7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
+
+ 
+
+8. Click **Browse**.
+
+9. Navigate to the location of the downloaded file from step 4 above.
+
+ 
+
+10. Click **Next**.
+11. Configure the Agent with the appropriate samples (**None** or **All file types**).
+
+ 
+
+12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
+
+ 
+
+14. Verify the configuration, then click **Next**.
+
+ 
+
+15. Click **Close** when the Wizard completes.
+
+16. In the System Center Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
+
+ 
+
+17. On the right panel, select the previously created collection and click **OK**.
+
+ 
+
+
+### Previous versions of Windows Client (Windows 7 and Windows 8.1)
+Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
+
+1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
+
+2. Under operating system choose **Windows 7 SP1 and 8.1**.
+
+ 
+
+3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
+
+Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed.
+
+Edit the InstallMMA.cmd with a text editor, such as notepad and update the
+following lines and save the file:
+
+ 
+
+Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file:
+
+ 
+
+Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating
+Systems:
+
+- Server SKUs: Windows Server 2008 SP1 or Newer
+
+- Client SKUs: Windows 7 SP1 and later
+
+The MMA agent will need to be installed on Windows devices. To install the
+agent, some systems will need to download the [Update for customer experience
+and diagnostic
+telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+in order to collect the data with MMA. These system versions include but may not
+be limited to:
+
+- Windows 8.1
+
+- Windows 7
+
+- Windows Server 2016
+
+- Windows Server 2012 R2
+
+- Windows Server 2008 R2
+
+Specifically, for Windows 7 SP1, the following patches must be installed:
+
+- Install
+ [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
+
+- Install either [.NET Framework
+ 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
+ later) **or**
+ [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
+ Do not install both on the same system.
+
+To deploy the MMA with System Center Configuration Manager, follow the steps
+below to utilize the provided batch files to onboard the systems. The CMD file
+when executed, will require the system to copy files from a network share by the
+System, the System will install MMA, Install the DependencyAgent, and configure
+MMA for enrollment into the workspace.
+
+
+1. In System Center Configuration Manager console, navigate to **Software
+ Library**.
+
+2. Expand **Application Management**.
+
+3. Right-click **Packages** then select **Create Package**.
+
+4. Provide a Name for the package, then click **Next**
+
+ 
+
+5. Verify **Standard Program** is selected.
+
+ 
+
+6. Click **Next**.
+
+ 
+
+7. Enter a program name.
+
+8. Browse to the location of the InstallMMA.cmd.
+
+9. Set Run to **Hidden**.
+
+10. Set **Program can run** to **Whether or not a user is logged on**.
+
+11. Click **Next**.
+
+12. Set the **Maximum allowed run time** to 720.
+
+13. Click **Next**.
+
+ 
+
+14. Verify the configuration, then click **Next**.
+
+ 
+
+15. Click **Next**.
+
+16. Click **Close**.
+
+17. In the System Center Configuration Manager console, right-click the Microsoft Defender ATP
+ Onboarding Package just created and select **Deploy**.
+
+18. On the right panel select the appropriate collection.
+
+19. Click **OK**.
+
+## Next generation protection
+Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
+
+1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
+
+ 
+
+2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
+
+ 
+
+ In certain industries or some select enterprise customers might have specific
+needs on how Antivirus is configured.
+
+
+ [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
+
+ For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
+
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+3. Right-click on the newly created antimalware policy and select **Deploy** .
+
+ 
+
+4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
+
+ 
+
+After completing this task, you now have successfully configured Windows
+Defender Antivirus.
+
+## Attack Surface Reduction
+The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
+Protection. All these features provide an audit mode and a block mode. In audit mode there is no end user impact all it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step by step move security controls into block mode.
+
+To set ASR rules in Audit mode:
+
+1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+ 
+
+
+2. Select **Attack Surface Reduction**.
+
+
+3. Set rules to **Audit** and click **Next**.
+
+ 
+
+4. Confirm the new Exploit Guard policy by clicking on **Next**.
+
+ 
+
+
+5. Once the policy is created click **Close**.
+
+ 
+
+
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+ 
+
+7. Target the policy to the newly created Windows 10 collection and click **OK**.
+
+ 
+
+After completing this task, you now have successfully configured ASR rules in audit mode.
+
+Below are additional steps to verify whether ASR rules are correctly applied to
+endpoints. (This may take few minutes)
+
+
+1. From a web browser, navigate to .
+
+2. Select **Configuration management** from left side menu.
+
+ 
+
+3. Click **Go to attack surface management** in the Attack surface management panel.
+
+ 
+
+4. Click **Configuration** tab in Attack Surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
+
+ 
+
+5. Click each device shows configuration details of ASR rules.
+
+ 
+
+See [Optimize ASR rule deployment and
+detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details.
+
+
+### To set Network Protection rules in Audit mode:
+1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+ 
+
+2. Select **Network protection**.
+
+3. Set the setting to **Audit** and click **Next**.
+
+ 
+
+4. Confirm the new Exploit Guard Policy by clicking **Next**.
+
+ 
+
+5. Once the policy is created click on **Close**.
+
+ 
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+ 
+
+7. Select the policy to the newly created Windows 10 collection and choose **OK**.
+
+ 
+
+After completing this task, you now have successfully configured Network
+Protection in audit mode.
+
+### To set Controlled Folder Access rules in Audit mode:
+
+1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+ 
+
+2. Select **Controlled folder access**.
+
+3. Set the configuration to **Audit** and click **Next**.
+
+ 
+
+4. Confirm the new Exploit Guard Policy by clicking on **Next**.
+
+ 
+
+5. Once the policy is created click on **Close**.
+
+ 
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+ 
+
+7. Target the policy to the newly created Windows 10 collection and click **OK**.
+
+ 
+
+After completing this task, you now have successfully configured Controlled folder access in audit mode.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
new file mode 100644
index 0000000000..221645d516
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
@@ -0,0 +1,59 @@
+---
+title: Recommendation methods and properties
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Recommendation resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
+[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
+[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
+[Get recommendation machines](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of machines associated with the security recommendation
+[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Recommendation ID
+productName | String | Related software name
+recommendationName | String | Recommendation name
+Weaknesses | Long | Number of discovered vulnerabilities
+Vendor | String | Related vendor name
+recommendedVersion | String | Recommended version
+recommendationCategory | String | Recommendation category. Possible values are: “Accounts”, “Application”, “Network”, “OS”, “SecurityStack
+subCategory | String | Recommendation sub-category
+severityScore | Double | Potential impact of the configuration to the organization’s configuration score (1-10)
+publicExploit | Boolean | Public exploit is available
+activeAlert | Boolean | Active alert is associated with this recommendation
+associatedThreats | String collection | Threat analytics report is associated with this recommendation
+remediationType | String | Remediation type. Possible values are: “ConfigurationChange”,“Update”,“Upgrade”,”Uninstall”
+Status | Enum | Recommendation exception status. Possible values are: “Active” and “Exception”
+configScoreImpact | Double | Configuration score impact
+exposureImpacte | Double | Exposure score impact
+totalMachineCount | Long | Number of installed machines
+exposedMachinesCount | Long | Number of installed machines that are exposed to vulnerabilities
+nonProductivityImpactedAssets | Long | Number of machines which are not affected
+relatedComponent | String | Related software component
diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md
new file mode 100644
index 0000000000..9a903d296f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/score.md
@@ -0,0 +1,77 @@
+---
+title: Score methods and properties
+description: Retrieves your organization's exposure score, device secure score, and exposure score by machine group
+keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by machine group
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Score resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
+[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
+[List exposure score by machine group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by machine group.
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+Score | Double | The current score.
+Time | DateTime | The date and time in which the call for this API was made.
+RbacGroupId | Nullable Int | RBAC Group ID.
+
+
+### Response example for getting machine groups score:
+
+```
+GET https://api.securitycenter.windows.com/api/exposureScore/byMachineGroups
+```
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore",
+ "value": [
+ {
+ "time": "2019-12-03T07:26:49.9376328Z",
+ "score": 41.38041766305988,
+ "rbacGroupId": 10
+ },
+ {
+ "time": "2019-12-03T07:26:49.9376375Z",
+ "score": 23.58823563070858,
+ "rbacGroupId": 5
+ },
+ {
+ "time": "2019-12-03T07:26:49.9376382Z",
+ "score": 37.403726933165366,
+ "rbacGroupId": 11
+ },
+ {
+ "time": "2019-12-03T07:26:49.9376388Z",
+ "score": 26.323200116475423,
+ "rbacGroupId": 9
+ }
+ ]
+}
+
+
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md
new file mode 100644
index 0000000000..49e8e4c12d
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/software.md
@@ -0,0 +1,47 @@
+---
+title: Software methods and properties
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Software resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[List software](get-software.md) | Software collection | List the organizational software inventory.
+[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
+[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
+[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of machines that are associated with the software ID.
+[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Software ID
+Name | String | Software name
+Vendor | String | Software vendor name
+Weaknesses | Long | Number of discovered vulnerabilities
+publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
+activeAlert | Boolean | Active alert is associated with this software
+exposedMachines | Long | Number of exposed machines
+impactScore | Double | Exposure score impact of this software
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 55ffb2b7ca..7df11c3d9e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -42,7 +42,7 @@ Ensure that your machines:
> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
-- Are onboarded to Microsoft Intune and System Center Configuration Manager (SCCM). If you are use SCCM, update your console to the latest May version 1905
+- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
- Have at least one security recommendation that can be viewed in the machine page
- Are tagged or marked as co-managed
@@ -174,7 +174,7 @@ DeviceTvmSoftwareInventoryVulnerabilities
| where IsExploitAvailable == 1 and CvssScore >= 7
| summarize NumOfVulnerabilities=dcount(CveId),
DeviceName=any(DeviceName) by DeviceId
-| join kind =inner(AlertEvents) on DeviceId
+| join kind =inner(DeviceAlertEvents) on DeviceId
| summarize NumOfVulnerabilities=any(NumOfVulnerabilities),
DeviceName=any(DeviceName) by DeviceId, AlertId
| project DeviceName, NumOfVulnerabilities, AlertId
@@ -212,3 +212,9 @@ After you have identified which software and software versions are vulnerable du
- [Advanced hunting overview](overview-hunting.md)
- [All advanced hunting tables](advanced-hunting-reference.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
index 53233130eb..e4cd47a5a8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
@@ -40,15 +40,13 @@ If you have completed the onboarding process and don't see machines in the [Mach
If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur.
-### Troubleshoot onboarding issues when deploying with System Center Configuration Manager
-When onboarding machines using the following versions of System Center Configuration Manager:
+### Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager
+When onboarding machines using the following versions of Configuration Manager:
- System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager
-- System Center Configuration Manager (current branch) version 1511
-- System Center Configuration Manager (current branch) version 1602
-Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console.
+Deployment with the above-mentioned versions of Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console.
If the deployment fails, you can check the output of the script on the machines.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 662c116683..97a1b56853 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -26,7 +26,7 @@ ms.topic: conceptual
Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable machine vulnerability context during incident investigations
-- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM)
+- Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager
You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
@@ -34,6 +34,9 @@ You can use the Threat & Vulnerability Management capability in [Microsoft Defen
- Select remediation options, triage and track the remediation tasks
- Select exception options and track active exceptions
+> [!NOTE]
+> Machines that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and configuration score.
+
## Threat & Vulnerability Management in Microsoft Defender Security Center
When you open the portal, you’ll see the main areas of the capability:
@@ -66,9 +69,6 @@ Area | Description
**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities, and active exceptions.
**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.
-> [!NOTE]
-> Machines with no alerts seen in the last 30 days do not count towards the exposure score of Threat & Vulnerability Management.
-
See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index ee48894e3f..ad6de378c5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -48,3 +48,7 @@ Reduce the exposure score by addressing what needs to be remediated based on the
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index a7dbb7c0ea..ffd3002549 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -1,6 +1,6 @@
---
title: Remediation and exception
-description: Remediate security weaknesses and fill exceptions by integrating Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
+description: Remediate security weaknesses and fill exceptions by integrating Microsoft Intune and Microsoft Endpoint Configuration Manager.
keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -133,5 +133,10 @@ The exception impact shows on both the Security recommendations page column and
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index 047a7888c1..a33b2a7311 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -26,9 +26,9 @@ ms.date: 04/11/2019
[!include[Prerelease information](../../includes/prerelease.md)]
-The cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
+The cyber security weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
-Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collect information from your environment.
+Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
## The basis of the security recommendation
Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time.
@@ -110,3 +110,8 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index 0eb7c6a988..4428d8a925 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -73,3 +73,9 @@ You can report a false positive when you see any vague, inaccurate version, inco
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index aa146289f2..1ffd2a0270 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -133,3 +133,8 @@ You can report a false positive when you see any vague, inaccurate, missing, or
- [Software inventory](tvm-software-inventory.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
+- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
+- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
+- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index dd8733ed35..379bc21985 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -43,6 +43,11 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
- **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
+ - Security operations - Take response actions
+ - Approve or dismiss pending remediation actions
+ - Manage allowed/blocked lists for automation
+ - Manage allowed/blocked create Indicators
+
>[!NOTE]
>To enable your Security operation personnel to choose remediation options and file exceptions, select **Threat and vulnerability management - Remediation handling**, and **Threat and vulnerability management - Exception handling**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
new file mode 100644
index 0000000000..0ede996269
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
@@ -0,0 +1,50 @@
+---
+title: Vulnerability methods and properties
+description: Retrieves vulnerability information
+keywords: apis, graph api, supported apis, get, vulnerability
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Vulnerability resource type
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
+[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
+[List machines by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of machines that are associated with the vulnerability ID
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Vulnerability ID
+Name | String | Vulnerability title
+Description | String | Vulnerability description
+Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical”
+cvssV3 | Double | CVSS v3 score
+exposedMachines | Long | Number of exposed machines
+publishedOn | DateTime | Date when vulnerability was published
+updatedOn | DateTime | Date when vulnerability was updated
+publicExploit | Boolean | Public exploit exists
+exploitVerified | Boolean | Exploit is verified to work
+exploitInKit | Boolean | Exploit is part of an exploit kit
+exploitTypes | String collection | Exploit impact. Possible values are: “Denial of service”, “Local privilege escalation”, “Denial of service”
+exploitUris | String collection | Exploit source URLs
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
new file mode 100644
index 0000000000..5a60f9e9ae
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -0,0 +1,171 @@
+---
+title: Web content filtering
+description: Use web content filtering in Microsoft Defender ATP to track and regulate access to websites based on their content categories.
+keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Web content filtering
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
+
+Web content filtering is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns.
+
+You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions.
+
+Web content filtering is available on most major web browsers, with blocks performed by SmartScreen (Edge) and Network Protection (Internet Explorer, Chrome, Firefox, and all other browsers). See the prerequisites section for more information about browser support.
+
+To summarize the benefits:
+
+- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away
+- You can conveniently deploy varied policies to various sets of users using the machine groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
+- You can access web reports in the same central location, with visibility over actual blocks and web usage
+
+## User experience
+
+The standard blocking experience is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection.
+For a more user-friendly experience, consider using SmartScreen on Edge.
+
+## Prerequisites
+
+Before trying out this feature, make sure you have the following:
+
+- Windows 10 Enterprise E5 license
+- Access to Microsoft Defender Security Center portal
+- Machines running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update (for Network Protection on Internet Explorer, Edge, Chrome, or Firefox)
+- Machines running Windows 10 May 2019 Update (version 1903) or later (for a better user experience from SmartScreen on Edge). Note that if SmartScreen is not turned on, Network Protection will take over the blocking
+- A valid license with a partner data provider
+
+## Data handling
+
+For this feature, we will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
+
+## Partner licensing
+
+In order to give customers access to various sources of web content categorization data, we are very excited to partner with data providers for this feature. We’ve chosen [Cyren](https://www.cyren.com/threat-intelligence) as our first partner, who we’ve worked with closely to build an integrated solution.
+
+### About Cyren and Threat Intelligence Service for Microsoft Defender ATP
+
+Cyren’s URL filtering includes 70 categories, providing partners with the ability to build powerful and advanced web security applications. Cyren’s comprehensive categories provide the necessary flexibility for any implementation requirement.
+
+The broad range of categories enables numerous applications:
+
+- Protecting users browsing the web from threats such as malware and phishing sites
+- Ensuring employee productivity
+- Consumer services such as parental control
+
+Cyren's web content classification technology is integrated by design into Microsoft Defender ATP to enable web filtering and auditing capabilities.
+
+Learn more at https://www.cyren.com/products/url-filtering.
+
+### Cyren permissions
+
+"Sign in and read user profile" allows Cyren to read your tenant info from your Microsoft Defender ATP account, such as your tenant ID, which will be tied to your Cyren license.
+
+"Read and Write Integration settings" exists under the WindowsDefenderATP scope within permissions. This line allows Cyren to add/modify/revoke Cyren license status on the Microsoft Defender ATP portal.
+
+### Signing up for a Cyren License
+
+Cyren is offering a 60-day free trial for all Microsoft Defender ATP customers. To sign up, please follow the steps below from the portal.
+
+>[!NOTE]
+>A user with AAD app admin/global admin permissions is required to complete these steps.
+
+1. Go to **Reports > Web protection** from the side navigation
+2. Select the **Connect to a partner** button
+3. Go through the flow from the flyout to register and connect your Cyren account
+
+## Turn on web content filtering
+
+From the left-hand navigation menu, select **Settings > General > Advanced Features**. Scroll down until you see the entry for **Web content filtering**. Switch the toggle to **On** and **Save preferences**.
+
+### Configure web content filtering policies
+
+Web content filtering policies specify which site categories are blocked on which machine groups. To manage the policies, go to **Settings > Rules > Web content filtering**.
+
+Use the filter to locate policies that contain certain blocked categories or are applied to specific machine groups.
+
+### Create a policy
+
+To add a new policy:
+
+1. Select **Add policy** on the **Web content filtering** page in **Settings**.
+2. Specify a name.
+3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories.
+4. Specify the policy scope. Select the machine groups to specify where to apply the policy. Only machines in the selected machine groups will be prevented from accessing websites in the selected categories.
+5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected machines.
+
+>[!NOTE]
+>If you are removing a policy or changing machine groups at the same time, this might cause a delay in policy deployment.
+
+## Web content filtering cards and details
+
+Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering.
+
+### Web activity by category
+
+This card lists the parent web content categories with the largest percentage change in the number of access attempts, whether they have increased or decreased. You can use this card to understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information about that particular category.
+
+In the first 30 days of using this feature, your organization might not have sufficient data to display in this card.
+
+
+
+### Web content filtering summary card
+
+This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category.
+
+
+
+### Web activity summary card
+
+This card displays the total number of requests for web content in all URLs.
+
+
+
+### View card details
+
+You can access the **Report details** for each card by selecting a table row or colored bar from the chart in the card. The report details page for each card contains extensive statistical data about web content categories, website domains, and machine groups.
+
+
+
+- **Web categories**: Lists the web content categories that have had access attempts in your organization. Select a specific category to open a summary flyout.
+
+- **Domains**: Lists the web domains that have been accessed or blocked in your organization. Select a specific domain to view detailed information about that domain.
+
+- **Machine groups**: Lists all the machine groups that have generated web activity in your organization
+
+Use the time range filter at the top left of the page to select a time period. You can also filter the information or customize the columns. Select a row to open a flyout pane with even more information about the selected item.
+
+## Errors and issues
+
+### Why am I seeing the error "Need admin approval" when trying to connect to Cyren?
+
+You need to be logged in to an AAD account with either App administrator or Global Administrator privileges. Your IT admin would most likely either have these permissions and/or be able to grant them to you.
+
+### Limitations and known issues in this preview
+
+- Unassigned machines will have incorrect data shown within the report. In the Report details > Machine groups pivot, you may see a row with a blank Machine Group field. This group contains your unassigned machines in the interim before they get put into your specified group. The report for this row may not contain an accurate count of machines or access counts.
+
+- The data in our reports may not be congruent with other data on the site. We currently do not support real-time data processing for this feature, so you may see inconsistencies between the data in our reports and the URL entity page.
+
+## Related topics
+
+- [Web protection overview](web-protection-overview.md)
+- [Web threat protection](web-threat-protection.md)
+- [Monitor web security](web-protection-monitoring.md)
+- [Respond to web threats](web-protection-response.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
index da6e550794..36d58deb28 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
@@ -8,14 +8,13 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: lomayor
-author: lomayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 08/30/2019
---
# Monitor web browsing security
@@ -54,4 +53,6 @@ Select a domain to view the list of machines that have attempted to access URLs
## Related topics
- [Web protection overview](web-protection-overview.md)
+- [Web content filtering](web-content-filtering.md)
+- [Web threat protection](web-threat-protection.md)
- [Respond to web threats](web-protection-response.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
index 37f62a101c..d3dd75a836 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
@@ -1,5 +1,5 @@
---
-title: Overview of web protection in Microsoft Defender ATP
+title: Web protection
description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization
keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
search.product: eADQiWindows 10XVcnh
@@ -8,43 +8,44 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: lomayor
-author: lomayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 08/30/2019
---
-# Protect your organization against web threats
+# Web protection
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-Web protection in Microsoft Defender ATP uses [network protection](network-protection.md) to secure your machines against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web protection stops web threats without a web proxy and can protect machines while they are away or on premises. Web protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
+Web protection in Microsoft Defender ATP is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your machines against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft Defender Security Center by going to **Reports > Web protection**.
->[!Note]
->It can take up to an hour for machines to receive new customer indicators.
+
-With web protection, you also get:
+## Web threat protection
+
+The cards that make up web threat protection are **Web threat detections over time** and **Web threat summary**.
+
+Web threat protection includes:
- Comprehensive visibility into web threats affecting your organization
- Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the machines that access these URLs
- A full set of security features that track general access trends to malicious and unwanted websites
-## Prerequisites
-Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers.
+## Web content filtering
-To turn on network protection on your machines:
-- Edit the Microsoft Defender ATP security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-atp-security-baseline)
-- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md)
-
->[!Note]
->If you set network protection to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
+The cards that make up web content filtering are **Web activity by category**, **Web content filtering summary**, and **Web activity summary**.
+Web content filtering includes:
+- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away
+- You can conveniently deploy varied policies to various sets of users using the machine groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
+- You can access web reports in the same central location, with visibility over actual blocks and web usage
## In this section
+
Topic | Description
:---|:---
-[Monitor web security](web-protection-monitoring.md) | Monitor attempts to access malicious and unwanted websites.
-[Respond to web threats](web-protection-response.md) | Investigate and manage alerts related to malicious and unwanted websites. Understand how end users are notified whenever a web threat is blocked.
+[Web threat protection](web-threat-protection.md) | Stop access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked.
+[Web content filtering](web-content-filtering.md) | Track and regulate access to websites based on their content categories.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
index e963f8f504..e9e6949f27 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
@@ -8,14 +8,13 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: lomayor
-author: lomayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 08/30/2019
---
# Respond to web threats
@@ -67,4 +66,6 @@ With web protection in Microsoft Defender ATP, your end users will be prevented
## Related topics
- [Web protection overview](web-protection-overview.md)
-- [Monitor web security](web-protection-monitoring.md)
+- [Web content filtering](web-content-filtering.md)
+- [Web threat protection](web-threat-protection.md)
+- [Monitor web security](web-protection-monitoring.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
new file mode 100644
index 0000000000..66e0e293ed
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
@@ -0,0 +1,45 @@
+---
+title: Protect your organization against web threats
+description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization
+keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Protect your organization against web threats
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
+
+Web threat protection is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It uses [network protection](network-protection.md) to secure your machines against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect machines while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
+
+>[!Note]
+>It can take up to an hour for machines to receive new customer indicators.
+
+## Prerequisites
+Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers.
+
+To turn on network protection on your machines:
+- Edit the Microsoft Defender ATP security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-atp-security-baseline)
+- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md)
+
+>[!Note]
+>If you set network protection to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
+
+## Related topics
+
+- [Web protection overview](web-protection-overview.md)
+- [Web threat protection](web-threat-protection.md)
+- [Monitor web security](web-protection-monitoring.md)
+- [Respond to web threats](web-protection-response.md)
+- [Network protection](network-protection.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 1f3bb33e56..d726f7ff56 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -279,7 +279,7 @@ SAWs are computers that are built to help significantly reduce the risk of compr
To protect high-value assets, SAWs are used to make secure connections to those assets.
-Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool like System Center Configuration Manager, Intune, or any third-party device management, then Device Guard is very applicable. In that type of scenario, the organization has a good idea of the software that an average user is running.
+Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool like Microsoft Endpoint Configuration Manager, Intune, or any third-party device management, then Device Guard is very applicable. In that type of scenario, the organization has a good idea of the software that an average user is running.
It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it’s quite difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run.
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 8d134aaa46..4c475c71c0 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -41,7 +41,10 @@ The Security Compliance Toolkit consists of:
- Windows Server 2012 R2
- Microsoft Office security baseline
- - Office365 ProPlus (Sept 2019)
+ - Office 365 ProPlus (Sept 2019)
+
+- Microsoft Edge security baseline
+ - Version 79
- Tools
- Policy Analyzer tool
diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
index 4b9f7e599b..b777bb0066 100644
--- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
@@ -99,6 +99,7 @@ Over time, new ways to manage security policy settings have been introduced, whi
+
## Using the Local Security Policy snap-in
@@ -135,7 +136,7 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl
**To administer security policies by using the Security Compliance Manager**
-1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](http://blogs.technet.com/b/secguide/) blog.
+1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](https://blogs.technet.com/b/secguide/) blog.
2. Read the relevant security baseline documentation that is included in this tool.
3. Download and import the relevant security baselines. The installation process steps you through baseline selection.
4. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
@@ -208,6 +209,7 @@ The following table lists the features of the Security Configuration Manager.
+
### Security Configuration and Analysis
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index 1ada850d3b..37700da3a6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -20,7 +20,7 @@ ms.date: 04/19/2017
# Network security: Configure encryption types allowed for Kerberos
**Applies to**
-- Windows 10
+- Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting.
@@ -35,11 +35,11 @@ The following table lists and explains the allowed encryption types.
| Encryption type | Description and version support |
| - | - |
-| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES by default. |
-| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES by default. |
-| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2.|
-| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1). Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. |
-| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1). Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. |
+| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2 and later operating systems do not support DES by default. |
+| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2 and later operating systems do not support DES by default. |
+| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.|
+| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1). Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. |
+| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1). Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. |
| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.|
### Possible values
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index 253e07225b..20fd54f909 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -49,7 +49,7 @@ The rules that are included in the Windows Server password complexity requiremen
Enabling the default Passfilt.dll may cause some additional Help Desk calls for locked-out accounts because users might not be used to having passwords that contain characters other than those found in the alphabet. However, this policy setting is liberal enough that all users should be able to abide by the requirements with a minor learning curve.
-Additional settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. Upper-row characters are those that are typed by holding down the SHIFT key and typing any of the digits from 1 through 10.
+Additional settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. Upper-row characters are those typed by pressing and holding the SHIFT key and then pressing any of the keys on the number row of the keyboard (from 1 through 9 and 0).
### Possible values
@@ -100,7 +100,7 @@ When combined with a [Minimum password length](minimum-password-length.md) of 8,
If the default password complexity configuration is retained, additional Help Desk calls for locked-out accounts could occur because users might not be accustomed to passwords that contain non-alphabetical characters, or they might have problems entering passwords that contain accented characters or symbols on keyboards with different layouts. However, all users should be able to comply with the complexity requirement with minimal difficulty.
-If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those that require you to press and hold the SHIFT key and then press any of the digits between 1 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments.
+If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those that require you to press and hold the SHIFT key and then press any of the keys on the number row of the keyboard, from 1 through 9 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments.
The use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in additional Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128–0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
index a76c0ab71a..c69288aada 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
@@ -26,7 +26,7 @@ manager: dansimp
You can manage and configure Windows Defender Antivirus with the following tools:
- Microsoft Intune
-- System Center Configuration Manager
+- Microsoft Endpoint Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instrumentation (WMI)
@@ -38,7 +38,7 @@ The articles in this section provide further information, links, and resources f
Article | Description
---|---
-[Manage Windows Defender Antivirus with Microsoft Intune and System Center Configuration Manager](use-intune-config-manager-windows-defender-antivirus.md)|Information about using Intune and System Center Configuration Manager to deploy, manage, report, and configure Windows Defender Antivirus
+[Manage Windows Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-windows-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Windows Defender Antivirus
[Manage Windows Defender Antivirus with Group Policy settings](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates
[Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Windows Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters
[Manage Windows Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-windows-defender-antivirus.md)| Instructions for using WMI to manage Windows Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
index 1799b30b71..981c05b0ae 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -29,9 +29,9 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic
-## Use Configuration Manager to configure scanning options:
+## Use Microsoft Endpoint Configuration Manager to configure scanning options:
-See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch).
+See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
## Use Group Policy to configure scanning options
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 47b2f1d42a..97287da999 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -71,9 +71,9 @@ For more information about configuring Windows Defender Antivirus device restric
For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus).
-### Enable block at first sight with SCCM
+### Enable block at first sight with Microsoft Endpoint Configuration Manager
-1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
+1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
2. Click **Home** > **Create Antimalware Policy**.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index a1020bef6f..9a1559d85e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -77,7 +77,7 @@ See the following articles:
### Use Configuration Manager to configure file name, folder, or file extension exclusions
-See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
+See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
### Use Group Policy to configure folder or file extension exclusions
@@ -272,7 +272,7 @@ The following table describes how the wildcards can be used and provides some ex
You can retrieve the items in the exclusion list using one of the following methods:
- [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
-- [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings)
+- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings)
- MpCmdRun
- PowerShell
- [Windows Security app](windows-defender-security-center-antivirus.md#exclusions)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index 0bd81387b5..39f0cb02b4 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -43,7 +43,7 @@ The Windows Defender Antivirus cloud service provides fast, strong protection fo
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
-See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
+See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
index 6bd6aeb7b2..686871aec0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@@ -74,7 +74,7 @@ You can use Group Policy to:
Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information.
> [!NOTE]
-> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection).
+> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index 36714d75c3..7835908e14 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -41,7 +41,7 @@ The exclusions only apply to [always-on real-time protection and monitoring](con
Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists.
-You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
+You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists.
@@ -57,9 +57,9 @@ You can [configure how locally and globally defined exclusions lists are merged]
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
-### Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans
+### Use Microsoft Endpoint Configuration Manager to exclude files that have been opened by specified processes from scans
-See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
+See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
### Use Group Policy to exclude files that have been opened by specified processes from scans
@@ -150,7 +150,7 @@ Environment variables | The defined variable will be populated as a path when th
## Review the list of exclusions
-You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
+You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
If you use PowerShell, you can retrieve the list in two ways:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
index 9702fdb478..c0c4318e7b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
@@ -25,7 +25,7 @@ manager: dansimp
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
-This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index 85b7b015a3..6c817499da 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -266,7 +266,7 @@ This section lists the exclusions that are delivered automatically when you inst
- %windir%\Ntds\ntds.pat
-- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files`
+- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
- %windir%\Ntds\EDB*.log
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
index d771955c80..3532148261 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
@@ -1,7 +1,7 @@
---
title: Configure Windows Defender Antivirus features
-description: You can configure Windows Defender Antivirus features with Intune, System Center Configuration Manager, Group Policy, and PowerShell.
-keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
+description: You can configure Windows Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell.
+keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -26,7 +26,7 @@ manager: dansimp
You can configure Windows Defender Antivirus with a number of tools, including:
- Microsoft Intune
-- System Center Configuration Manager
+- Microsoft Endpoint Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instrumentation (WMI)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index 4e5666fd45..b0b2030e32 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -34,4 +34,4 @@ Topic | Description
[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
-[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Security app
+[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index ad4a8eee3e..4e7ec5971c 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Deploy, manage, and report on Windows Defender Antivirus
-description: You can deploy and manage Windows Defender Antivirus with Intune, System Center Configuration Manager, Group Policy, PowerShell, or WMI
+description: You can deploy and manage Windows Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI
keywords: deploy, manage, update, protection, windows defender antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -27,7 +27,7 @@ You can deploy, manage, and report on Windows Defender Antivirus in a number of
Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
-However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, System Center Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table.
+However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table.
You'll also see additional links for:
@@ -40,24 +40,24 @@ You'll also see additional links for:
Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
---|---|---|---
Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management)
-System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
+Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
-PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][]
-Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
+PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][]
+Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
-1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
+1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
2. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)
3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
-[Endpoint Protection point site system role]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection-site-role
-[default and customized antimalware policies]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies
-[client management]: https://docs.microsoft.com/sccm/core/clients/manage/manage-clients
-[enable Endpoint Protection with custom client settings]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection-configure-client
-[Configuration Manager Monitoring workspace]: https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection
-[email alerts]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts
+[Endpoint Protection point site system role]: https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-protection-site-role
+[default and customized antimalware policies]: https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies
+[client management]: https://docs.microsoft.com/configmgr/core/clients/manage/manage-clients
+[enable Endpoint Protection with custom client settings]: https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-protection-configure-client
+[Configuration Manager Monitoring workspace]: https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection
+[email alerts]: https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts
[Deploy the Microsoft Intune client to endpoints]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune
[custom Intune policy]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection
[custom Intune policy]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection
@@ -80,6 +80,6 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by
Topic | Description
---|---
-[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects.
-[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
-[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection.
+[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects.
+[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI.
+[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
index 9f668be613..6f8dd3363b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Deploy and enable Windows Defender Antivirus
-description: Deploy Windows Defender Antivirus for protection of your endpoints with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or WMI.
+description: Deploy Windows Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI.
keywords: deploy, enable, Windows Defender Antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -25,7 +25,7 @@ manager: dansimp
Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection.
-See the table in [Deploy, manage, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
+See the table in [Deploy, manage, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index b5a79ca055..ad266974fa 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender Antivirus VDI deployment guide
-description: Learn how to deploy Windows Defender Antivirus in a VDI environment for the best balance between protection and performance.
+title: Windows Defender Antivirus Virtual Desktop Infrastructure deployment guide
+description: Learn how to deploy Windows Defender Antivirus in a virtual desktop environment for the best balance between protection and performance.
keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 01/31/2020
ms.reviewer:
manager: dansimp
---
@@ -25,13 +25,13 @@ manager: dansimp
In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
-See the [Microsoft Desktop virtualization site](https://www.microsoft.com/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support.
+See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support.
For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic.
With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on.
-This guide will show you how to configure your VMs for optimal protection and performance, including how to:
+This guide describes how to configure your VMs for optimal protection and performance, including how to:
- [Set up a dedicated VDI file share for security intelligence updates](#set-up-a-dedicated-vdi-file-share)
- [Randomize scheduled scans](#randomize-scheduled-scans)
@@ -41,64 +41,93 @@ This guide will show you how to configure your VMs for optimal protection and pe
- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
- [Apply exclusions](#exclusions)
-You can also download the whitepaper [Windows Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf) which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI.
+You can also download the whitepaper [Windows Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf), which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI.
> [!IMPORTANT]
-> While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
-
-
-> [!NOTE]
-> There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
-
-
+> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows. There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
### Set up a dedicated VDI file share
-In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine - thus saving previous CPU, disk, and memory resources on individual machines.
+In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine - thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), Group Policy, or PowerShell.
-You can set this feature with Intune, Group Policy, or PowerShell.
+> [!TIP]
+> If you don't already have Intune, [try it for free](https://docs.microsoft.com/intune/fundamentals/free-trial-sign-up)!
-Open the Intune management portal either by searching for Intune on https://portal.azure.com or going to https://devicemanagement.microsoft.com and logging in.
+Open the Intune Management Portal either by searching for Intune on [https://portal.azure.com](https://portal.azure.com) or going to [https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com) and logging in.
-1. To create a group with only the devices or users you specify:
-1. Go to **Groups**. Click **New group**. Use the following values:
- 1. Group type: **Security**
- 2. Group name: **VDI test VMs**
- 3. Group description: *Optional*
- 4. Membership type: **Assigned**
-
-1. Add the devices or users you want to be a part of this test and then click **Create** to save the group. It’s a good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the shared security intelligence update feature enabled, and another with VMs that are running Windows 10 1809 or earlier versions. This will help when you create dashboards to test the performance changes.
+#### To create a group with only the devices or users you specify
-1. To create a group that will include any machine in your tenant that is a VM, even when they are newly created:
+1. Go to **Groups** > **New group**.
+
+2. Specify the following values:
+ - Group type: **Security**
+ - Group name: **VDI test VMs**
+ - Group description: *Optional*
+ - Membership type: **Assigned**
+
+3. Add the devices or users you want to be a part of this test and then click **Create** to save the group.
+
+It’s a good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the shared security intelligence update feature enabled, and another with VMs that are running Windows 10 1809 or earlier versions. This will help when you create dashboards to test the performance changes.
+
+#### To create a group that will include any machine in your tenant that is a VM, even when they are newly created
+
+1. Go to **Groups** > **New group**.
+
+2. Specify the following values:
+ - Group type: **Security**
+ - Group name: **VDI test VMs**
+ - Group description: *Optional*
+ - Membership type: **Dynamic Device**
+
+3. Click **Simple rule**, and select **deviceModel**, **Equals**, and enter **Virtual Machine**.
+
+4. Click **Add query** and then **Create** to save the group.
+
+5. Go to **Device configuration**, then **Profiles**. You can modify an existing custom profile or create a new one.
+
+#### Create a new device configuration profile
+
+In this example, we create a new device configuration profile by clicking **Create profile**.
-1. Go to **Groups**. Click **New group**. Use the following values:
- 1. Group type: **Security**
- 2. Group name: **VDI test VMs**
- 3. Group description: *Optional*
- 4. Membership type: **Dynamic Device**
-1. Click **Simple rule**, and select **deviceModel**, **Equals**, and enter **Virtual Machine**. Click **Add query** and then **Create** to save the group.
-1. Go to **Device configuration**, then **Profiles**. You can modify an existing custom profile or create a new one. In this demo I’m going to create a new one by clicking **Create profile**.
1. Name it, choose **Windows 10 and later** as the Platform and – most importantly – select **Custom** as the profile type.
-1. The **Custom OMA-URI Settings** blade is opened automatically. Click **Add** then enter the following values:
- 1. Name: **VDI shared sig location**
- 1. Description: *Optional*
- 1. OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot**
- 1. Data type: **String**
- 1. Value: **\\\wdav-update\** (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
-1. Click **Ok** to close the details blade, then **OK** again to close the **Custom OMA-URI Settings** blade. Click **Create** to save the new profile. The profile details page now appears.
-1. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**.
-1. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesn’t make sense, go back to the groups blade and confirm the group contains the right users or devices.
-1. The profile will now be deployed to the impacted devices. Note that this may take some time.
+
+2. The **Custom OMA-URI Settings** blade is opened automatically. Click **Add** then enter the following values:
+ - Name: **VDI shared sig location**
+ - Description: *Optional*
+ - OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot**
+ - Data type: **String**
+ - `\\\wdav-update\` (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
+
+3. Click **Ok** to close the details blade, then **OK** again to close the **Custom OMA-URI Settings** blade.
+
+4. Click **Create** to save the new profile. The profile details page now appears.
+
+5. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**.
+
+6. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesn’t make sense, go back to the groups blade and confirm the group contains the right users or devices.
+
+The profile will now be deployed to the impacted devices. This may take some time.
#### Use Group Policy to enable the shared security intelligence feature:
-1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
-1. In the **Group Policy Management Editor** go to **Computer configuration**.
-1. Click **Administrative templates**.
-1. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**
-1. Double-click Define security intelligence location for VDI clients and set the option to Enabled. A field automatically appears, enter *\\\wdav-update *(see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). Click **OK**.
-1. Deploy the GPO to the VMs you want to test.
-#### Use PowerShell to enable the shared security intelligence feature:
+1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Click **Administrative templates**.
+
+4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Security Intelligence Updates**.
+
+5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
+
+6. Enter `\\\wdav-update` (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be).
+
+7. Click **OK**.
+
+8. Deploy the GPO to the VMs you want to test.
+
+#### Use PowerShell to enable the shared security intelligence feature
+
Use the following cmdlet to enable the feature. You’ll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs:
```PowerShell
@@ -108,6 +137,7 @@ Set-MpPreference -SharedSignaturesPath \\\wdav-update
See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what the \ will be.
### Download and unpackage the latest updates
+
Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those).
```PowerShell
@@ -126,27 +156,39 @@ cmd /c "cd $vdmpath & c: & mpam-fe.exe /x"
You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update.
We suggest starting with once a day – but you should experiment with increasing or decreasing the frequency to understand the impact.
-Note that security intelligence packages are typically published once every three to four hours, so setting a frequency shorter than four hours isn’t advised as it will increase the network overhead on your management machine for no benefit.
+
+Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn’t advised because it will increase the network overhead on your management machine for no benefit.
#### Set a scheduled task to run the powershell script
+
1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel.
-1. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**.
-1. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter
- *-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1*
+2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**.
-in the **Add arguments** field. Click **OK**. You can choose to configure additional settings if you wish. Click OK to save the scheduled task.
+3. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Click **OK**.
+
+4. You can choose to configure additional settings if you wish.
+
+5. Click **OK** to save the scheduled task.
You can initiate the update manually by right-clicking on the task and clicking **Run**.
#### Download and unpackage manually
+
If you would prefer to do everything manually, this what you would need to do to replicate the script’s behavior:
-1. Create a new folder on the system root called *wdav_update* to store intelligence updates, for example, create the folder *c:\wdav_update*
-1. Create a subfolder under *wdav_update* with a GUID name, such as *{00000000-0000-0000-0000-000000000000}*; for example *c:\wdav_update\{00000000-0000-0000-0000-000000000000}* (note, in the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time)
-1. Download a security intelligence package from https://www.microsoft.com/wdsi/definitions into the GUID folder. The file should be named *mpam-fe.exe*.
-1. Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example **mpam-fe.exe /X**.
-Note: The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
+
+1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`.
+
+2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`; for example `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`.
+
+ Note: In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time.
+
+3. Download a security intelligence package from [https://www.microsoft.com/wdsi/definitions](https://www.microsoft.com/wdsi/definitions) into the GUID folder. The file should be named `mpam-fe.exe`.
+
+4. Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example `mpam-fe.exe /X`.
+
+ Note: The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
### Randomize scheduled scans
@@ -161,17 +203,23 @@ See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for
You can specify the type of scan that should be performed during a scheduled scan.
Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active.
-1. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
+1. Expand the tree to **Windows components > Windows Defender > Scan**.
- - Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**. Click **OK**.
+2. Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**.
+
+3. Click **OK**.
### Prevent notifications
Sometimes, Windows Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Windows Defender Antivirus user interface.
-1. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
+1. Expand the tree to **Windows components > Windows Defender > Client Interface**.
- - Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
+2. Double-click **Suppress all notifications** and set the option to **Enabled**.
+
+3. Click **OK**.
+
+This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
### Disable scans after an update
@@ -180,25 +228,36 @@ This setting will prevent a scan from occurring after receiving an update. You c
> [!IMPORTANT]
> Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
-1. Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting:
+1. Expand the tree to **Windows components > Windows Defender > Signature Updates**.
- - Double-click **Turn on scan after signature update** and set the option to **Disabled**. Click **OK**. This prevents a scan from running immediately after an update.
+2. Double-click **Turn on scan after signature update** and set the option to **Disabled**.
+
+3. Click **OK**.
+
+This prevents a scan from running immediately after an update.
### Scan VMs that have been offline
-1. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
+1. Expand the tree to **Windows components > Windows Defender > Scan**.
-1. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
+2. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**.
+
+3. Click **OK**.
+
+This forces a scan if the VM has missed two or more consecutive scheduled scans.
### Enable headless UI mode
-- Double-click **Enable headless UI mode** and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
+1. Double-click **Enable headless UI mode** and set the option to **Enabled**.
+2. Click **OK**.
+
+This hides the entire Windows Defender AV user interface from users.
### Exclusions
-On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
-- [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus)
+
+On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, see [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus).
## Additional resources
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index ed7b30ece9..fc883cd71d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -79,7 +79,7 @@ The notification appears in the usual [quarantine list within the Windows Securi
#### Configure PUA protection in Windows Defender Antivirus
-You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or via PowerShell cmdlets.
+You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets.
You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log.
@@ -94,14 +94,14 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic
##### Use Configuration Manager to configure PUA protection
-PUA protection is enabled by default in the System Center Configuration Manager (Current Branch), starting with version 1606.
+PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch).
-See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (Current Branch).
+See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch).
-For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA).
+For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA).
> [!NOTE]
-> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in System Center Configuration Manager.
+> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager.
##### Use Group Policy to configure PUA protection
@@ -146,7 +146,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use
#### View PUA events
-PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or in Intune.
+PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune.
You can turn on email notifications to receive mail about PUA detections.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index 328b3fc5a0..985b6f0b7c 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -28,7 +28,7 @@ ms.custom: nextgen
Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
-You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
+You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection.
@@ -62,7 +62,7 @@ For more information about Intune device profiles, including how to create and c
**Use Configuration Manager to enable cloud-delivered protection:**
-See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
**Use Group Policy to enable cloud-delivered protection:**
@@ -139,5 +139,5 @@ See the following for more information and allowed parameters:
- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
- [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
+- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
index c238f05823..20d523d368 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
@@ -27,11 +27,11 @@ Windows Defender Antivirus allows you to determine if updates should (or should
## Check for protection updates before running a scan
-You can use System Center Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan.
+You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan.
### Use Configuration Manager to check for protection updates before running a scan
-1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
index fabe399119..9a6e186de0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -35,7 +35,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie
### Use Configuration Manager to configure catch-up protection updates
-1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Security intelligence updates** section and configure the following settings:
@@ -164,7 +164,7 @@ See the following for more information and allowed parameters:
### Use Configuration Manager to configure catch-up scans
-1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
index 0185b12a58..c67fd41aa8 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -36,7 +36,7 @@ You can also randomize the times when each endpoint checks and downloads protect
## Use Configuration Manager to schedule protection updates
-1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Security intelligence updates** section.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index b6e4410cd1..be5477b03f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -52,11 +52,11 @@ There are five locations where you can specify where an endpoint should obtain u
- [Microsoft Update](https://support.microsoft.com/help/12373/windows-update-faq)
- [Windows Server Update Service](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus)
-- [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/servers/manage/updates)
+- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
- [Network file share](https://docs.microsoft.com/windows-server/storage/nfs/nfs-overview)
- [Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.)
-To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, System Center Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads.
+To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads.
> [!IMPORTANT]
> If you have set [Microsoft Malware Protection Center Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) (MMPC) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services).
@@ -70,13 +70,13 @@ Each source has typical scenarios that depend on how your network is configured,
|Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.|
|Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.|
|File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.|
-|System Center Configuration Manager | You are using System Center Configuration Manager to update your endpoints.|
+|Microsoft Endpoint Configuration Manager | You are using Microsoft Endpoint Configuration Manager to update your endpoints.|
|Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively. Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
-You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.
+You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI.
> [!IMPORTANT]
-> If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
+> If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
The procedures in this article first describe how to set the order, and then how to set up the **File share** option if you have enabled it.
@@ -110,7 +110,7 @@ The procedures in this article first describe how to set the order, and then how
## Use Configuration Manager to manage the update location
-See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring System Center Configuration Manager (current branch).
+See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
## Use PowerShell cmdlets to manage the update location
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index 775068abed..7ebc368cbc 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -40,7 +40,7 @@ The cloud-delivered protection is always on and requires an active connection to
Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
-You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
+You can manage the distribution of updates through Windows Server Update Service (WSUS), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
## In this section
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 21736ff5a6..0005561984 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -121,7 +121,7 @@ Here's what you see in the Windows Security app:
If you are using Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled.
-#### Use PowerShell to determine whether tamper protection is turned
+#### Use PowerShell to determine whether tamper protection is turned on
1. Open the Windows PowerShell app.
@@ -193,15 +193,16 @@ Value DisableRealtimeMonitoring = 0
Configuring tamper protection in Intune can be targeted to your entire organization as well as to specific devices and user groups.
-### Can I configure tamper protection in System Center Configuration Manager?
-Currently, managing tamper protection through System Center Configuration Manager is not supported.
+### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?
+
+Currently we do not have support to manage Tamper Protection through Microsoft Endpoint Configuration Manager.
### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?
Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
-### What happens if I try to change Microsoft Defender ATP settings in Intune, System Center Configuration Manager, and Windows Management Instrumentation when tamper protection is enabled on a device?
+### What happens if I try to change Microsoft Defender ATP settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
You won’t be able to change the features that are protected by tamper protection; such change requests are ignored.
@@ -219,7 +220,7 @@ Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securi
In addition, your security operations team can use hunting queries, such as the following:
-`AlertEvents | where Title == "Tamper Protection bypass"`
+`DeviceAlertEvents | where Title == "Tamper Protection bypass"`
[View information about tampering attempts](#view-information-about-tampering-attempts).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
index 16f606bbae..caea14600c 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
@@ -23,7 +23,7 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
+With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
index 78fed4d5d4..d0f31c4c8d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Review the results of Windows Defender AV scans
-description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Security app
+description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
keywords: scan results, remediation, full scan, quick scan
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -34,16 +34,7 @@ After an Windows Defender Antivirus scan completes, whether it is an [on-demand]
## Use Configuration Manager to review scan results
-See [How to monitor Endpoint Protection status](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection).
-
-## Use the Windows Security app to review scan results
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label.
-
- - Click **See full history** for any of the sections to see previous detections and the action taken. You can also clear the list.
- - Information about the last scan is displayed at the bottom of the page.
+See [How to monitor Endpoint Protection status](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
## Use PowerShell cmdlets to review scan results
diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
index 66db88455e..f36197fe0f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
@@ -41,7 +41,7 @@ A full scan can be useful on endpoints that have encountered a malware threat to
## Use Configuration Manager to run a scan
-See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
+See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using Microsoft Endpoint Configuration Manager (current branch) to run a scan.
## Use the mpcmdrun.exe command-line utility to run a scan
diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
index e49771c6ae..b2b391a114 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -31,7 +31,7 @@ In addition to always-on real-time protection and [on-demand](run-scan-windows-d
You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
-This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
To configure the Group Policy settings described in this topic:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
index e6b6bf10d0..d04a0c0bd5 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.custom: nextgen
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager.
+You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager.
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
@@ -47,7 +47,7 @@ For more information about Intune device profiles, including how to create and c
## Use Configuration Manager to specify the level of cloud-delivered protection
-See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
## Use Group Policy to specify the level of cloud-delivered protection
@@ -77,6 +77,6 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
-- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
+- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
index 6ed604307a..df5a122dda 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Configure Windows Defender Antivirus with Configuration Manager and Intune
-description: Use System Center Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection
+description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection
keywords: scep, intune, endpoint protection, configuration
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -17,13 +17,13 @@ ms.reviewer:
manager: dansimp
---
-# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender Antivirus
+# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Windows Defender Antivirus
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans.
+If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender Antivirus.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index 326511d75c..80c59d0658 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -30,9 +30,9 @@ For a list of the cmdlets and their functions and available parameters, see the
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
> [!NOTE]
-> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/kb/927367).
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/kb/927367).
-Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
+Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
index 0e88dfd58b..bac24170b6 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
@@ -31,7 +31,7 @@ Windows Defender Antivirus has a number of specific WMI classes that can be used
The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender Antivirus, and includes example scripts.
-Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI.
+Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with WMI.
You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index e1d2d9c8e9..68f8c4587a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -59,11 +59,9 @@ Organizations running Windows 10 E5, version 1803 can also take advantage of eme
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+The following table describes the differences in cloud-delivered protection between recent versions of Windows and Configuration Manager.
-The following table describes the differences in cloud-delivered protection between recent versions of Windows and System Center Configuration Manager.
-
-
-Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center Configuration Manager 2012 | System Center Configuration Manager (Current Branch) | Microsoft Intune
+Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center 2012 Configuration Manager | Microsoft Endpoint Configuration Manager (Current Branch) | Microsoft Intune
---|---|---|---|---|---|---
Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service
Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version
@@ -76,8 +74,8 @@ You can also [configure Windows Defender AV to automatically receive new protect
Topic | Description
---|---
-[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with System Center Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
-[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
+[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
+[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
[Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
-[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence . You can enable and configure it with System Center Configuration Manager and Group Policy.
-[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy.
+[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy.
+[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
index 392bc3f8e3..57b00a8aa0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
@@ -1,7 +1,7 @@
---
title: Why you should use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection
description: For best results, use Windows Defender Antivirus together with your other Microsoft offerings.
-keywords: windows defender, antivirus
+keywords: windows defender, antivirus, third party av
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 369ebfe876..64efaa5752 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -57,7 +57,7 @@ See the [Windows Defender Antivirus on Windows Server 2016](windows-defender-ant
>[!IMPORTANT]
>Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016.
>
->In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through System Center Configuration Manager.
+>In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager.
>
>Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
index 8837f79190..b8fbc245ce 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
@@ -56,7 +56,7 @@ See the [Manage Windows Defender Antivirus Security intelligence updates](manag
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint.
-The need to perform an offline scan will also be revealed in System Center Configuration Manager if you're using it to manage your endpoints.
+The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints.
The prompt can occur via a notification, similar to the following:
@@ -70,7 +70,7 @@ In Configuration Manager, you can identify the status of endpoints by navigating
Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
-
+
## Configure notifications
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index 4095a6a122..4ead268500 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -32,7 +32,8 @@ Refer to the below video for an overview and brief demo.
## Policy Authorization Process
-The general steps for expanding the S mode base policy on your devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups.
+The general steps for expanding the S mode base policy on your Intune-managed devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. Because you need access to WDAC PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, we recommend assigning it to a single test S-mode device to verify expected functioning before deploying the policy more broadly.
+
1. Generate a supplemental policy with WDAC tooling
This policy will expand the S mode base policy to authorize additional applications. Anything authorized by either the S mode base policy or your supplemental policy will be allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more.
@@ -60,7 +61,7 @@ The general steps for expanding the S mode base policy on your devices are to ge
- Since you'll be signing your policy, you must authorize the signing certificate you will use to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. For more information, refer to Section 2, Sign policy. Use Add-SignerRule to add the signing certificate to the WDAC policy:
```powershell
- Add-SignerRule -FilePath -CertificatePath -User -Update`
+ Add-SignerRule -FilePath -CertificatePath -User -Update
```
- Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps)
@@ -70,7 +71,7 @@ The general steps for expanding the S mode base policy on your devices are to ge
2. Sign policy
- Supplemental S mode policies must be digitally signed. To sign your policy, you can choose to use the Device Guard Signing Service or your organization's custom Public Key Infrastructure (PKI). Refer to [Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) for guidance on using DGSS and [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) for guidance on signing using an internal CA.
+ Supplemental S mode policies must be digitally signed. To sign your policy, you can choose to use the Device Guard Signing Service (DGSS) or your organization's custom Public Key Infrastructure (PKI). Refer to [Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) for guidance on using DGSS and [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) for guidance on signing using an internal CA.
Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML.
@@ -91,7 +92,7 @@ Your supplemental policy can be used to significantly relax the S mode base poli
Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don’t want to trust all apps that may share the same signing certificate.
-The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using the DGSS or a custom PKI. After that, IT Pros can use the standard Intune app deployment process outlined above. Refer to [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md) for more in-depth guidance on generating catalogs.
+The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using the DGSS or a custom PKI. Use the Add-SignerRule PowerShell cmdlet as shown above to authorize the catalog signing certificate in the supplemental policy. After that, IT Pros can use the standard Intune app deployment process outlined above. Refer to [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md) for more in-depth guidance on generating catalogs.
> [!Note]
> Every time an app updates, you will need to deploy an updated catalog. Because of this, IT Pros should try to avoid using catalog files for applications that auto-update and direct users not to update applications on their own.
@@ -180,8 +181,11 @@ Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Regis
```
## Policy removal
+In order to revert users to an unmodified S mode policy, an IT Pro can remove a user or users from the targeted Intune group which received the policy, which will trigger a removal of both the policy and the authorization token from the device.
+
+IT Pros also have the choice of deleting a supplemental policy through Intune.
> [!Note]
-> This feature currently has a known a policy deletion bug, with a fix expected in the 2D update in late February 2020. Devices of users who are unenrolled will still have their WDAC policies removed. In the mentime, IT Pros are recommended to update their policy with the below 'empty' policy which makes no changes to S mode.
+> This feature currently has a known bug which occurs when an S mode supplemental policy is deleted through Intune, in which the policy is not immediately removed from the devices to which it was deployed. A fix is expected in the 2D update in late February 2020. In the meantime, IT Pros are recommended to update their policy with the below 'empty' policy which makes no changes to S mode.
```xml
@@ -233,3 +237,6 @@ Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Regis
```
+
+## Errata
+If an S-mode device with a policy authorization token and supplemental policy is rolled back from the 1909 update to the 1903 build, it will not revert to locked-down S mode until the next policy refresh. To achieve an immediate change to a locked-down S mode state, IT Pros should delete any tokens in %SystemRoot%\System32\CI\Tokens\Active.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 765289825b..1accae5758 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -143,7 +143,7 @@ To sign the existing catalog file, copy each of the following commands into an e
5. Copy the catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}.
- For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as System Center Configuration Manager. Doing this also simplifies the management of catalog versions.
+ For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as Microsoft Endpoint Configuration Manager. Doing this also simplifies the management of catalog versions.
## Add a catalog signing certificate to a Windows Defender Application Control policy
@@ -217,9 +217,9 @@ To simplify the management of catalog files, you can use Group Policy preference
Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy.
-## Deploy catalog files with System Center Configuration Manager
+## Deploy catalog files with Microsoft Endpoint Configuration Manager
-As an alternative to Group Policy, you can use System Center Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, System Center Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
+As an alternative to Group Policy, you can use Microsoft Endpoint Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Microsoft Endpoint Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
>[!NOTE]
>The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
@@ -292,9 +292,9 @@ After you create the deployment package, deploy it to a collection so that the c
Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy,.
-## Inventory catalog files with System Center Configuration Manager
+## Inventory catalog files with Microsoft Endpoint Configuration Manager
-When catalog files have been deployed to the computers within your environment, whether by using Group Policy or System Center Configuration Manager, you can inventory them with the software inventory feature of System Center Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
+When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Microsoft Endpoint Configuration Manager, you can inventory them with the software inventory feature of Microsoft Endpoint Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
>[!NOTE]
>A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names.
@@ -332,7 +332,7 @@ When catalog files have been deployed to the computers within your environment,
9. Now that you have created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files.
-At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in System Center Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
+At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in Microsoft Endpoint Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
1. Open the Configuration Manager console, and select the Assets and Compliance workspace.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 5fa737a5b4..128fb4d3a3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -18,29 +18,63 @@ ms.date: 05/17/2018
---
> [!NOTE]
-> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/).
+> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/).
# Deploy Windows Defender Application Control policies by using Microsoft Intune
**Applies to:**
-- Windows 10
-- Windows Server 2016
+- Windows 10
+- Windows Server 2016
+You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC). Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited.
-You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can either configure an Endpoint Protection profile for WDAC, or create a custom profile with an OMA-URI setting. By using an Endpoint Protection profile, you can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps as defined by the Intelligent Security Graph.
+In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies via the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
+
+## Using Intune's Built-In Policies
1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
-3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**.
+2. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**.
-4. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**:
+3. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**:
- **Application control code integrity policies**: Select **Audit only** to log events but not block any apps from running or select **Enforce** to allow only Windows components and Store apps to run.
- **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps.
- 
-
-To add a custom profile with an OMA-URI see, [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/intune/configuration/custom-settings-windows-10).
+ 
+
+## Using a Custom OMA-URI Profile
+
+### For 1903+ systems
+The steps to use Intune's Custom OMA-URI functionality to leverage the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) and deploy a custom WDAC policy to 1903+ systems are:
+
+1. Know a generated policy’s GUID, which can be found in the policy xml as ``
+2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+3. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
+4. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
+5. Add a row, then give your policy a name and use the following settings:
+ - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy
+ - **Data type**: Base64
+ - **Certificate file**: upload your binary format policy file
+
+ 
+
+> [!NOTE]
+> Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
+
+### For pre-1903 systems
+The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
+
+1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+2. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
+3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
+4. Add a row, then give your policy a name and use the following settings:
+ - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy)
+ - **Data type**: Base64
+ - **Certificate file**: upload your binary format policy file
+
+> [!NOTE]
+> Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png b/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png
new file mode 100644
index 0000000000..12ec2b924f
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png
new file mode 100644
index 0000000000..c37d55910d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png
new file mode 100644
index 0000000000..e132440266
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-oma-uri.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-oma-uri.png
new file mode 100644
index 0000000000..1ba4774163
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-oma-uri.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
index ef6e327975..6054e9f6bd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
@@ -27,7 +27,7 @@ ms.date: 05/03/2018
Because each computer running Windows 10 can have only one WDAC policy, you will occasionally need to merge two or more policies. For example, after a WDAC policy is created and audited, you might want to merge audit events from another WDAC policy.
> [!NOTE]
-> Because only one SiPolicy.p7b file can be active on a system, the last management authority to write the policy wins. If there was already a policy deployed by using Group Policy and then amanaged installer using System Center Configuration Manager (SCCM) targeted the same device, the SCCM policy would overwrite the SiPolicy.p7b file.
+> Because only one SiPolicy.p7b file can be active on a system, the last management authority to write the policy wins. If there was already a policy deployed by using Group Policy and then a managed installer using Microsoft Endpoint Configuration Manager targeted the same device, the Configuration Manager policy would overwrite the SiPolicy.p7b file.
To merge two WDAC policies, complete the following steps in an elevated Windows PowerShell session:
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index fc2d28a1c6..465dfec3fb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -160,9 +160,8 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
-
-
-
+
+
-
-[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification)
-
-### Bitlocker
-
-#### New Bitlocker features
-
-- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
- It provides the following benefits:
- - The algorithm is FIPS-compliant.
- - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
- >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
-
-### Security auditing
-
-#### New Security auditing features
-
-- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices.
-
-### Trusted Platform Module
-
-#### New TPM features
-
-- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
-
-### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP)
-
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-
-Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
-
-- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy)
-- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip)
-
-[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip)
-
-### Windows Defender
-
-Several new features and management options have been added to Windows Defender in this version of Windows 10.
-
-- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
-- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans.
-- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
-- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal.
-- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus).
-- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times.
-
-### Windows Defender Advanced Threat Protection (ATP)
-
-With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
-
-[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
-
-### VPN security
-
-- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
-- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
-- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
-- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
-
-## Management
-
-### Use Remote Desktop Connection for PCs joined to Azure Active Directory
-
-From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc)
-
-### Taskbar configuration
-
-Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies)
-
-### Mobile device management and configuration service providers (CSPs)
-
-Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607).
-
-### Shared PC mode
-
-This version of Windows 10, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc)
-
-### Application Virtualization (App-V) for Windows 10
-
-Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally.
-
-With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
-
-[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started)
-
-### User Experience Virtualization (UE-V) for Windows 10
-
-Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options.
-
-With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
-
-With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
-
-[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows)
-
-## See Also
-
-[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
-
+---
+title: What's new in Windows 10 Enterprise 2016 LTSC
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB).
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: low
+ms.topic: article
+---
+
+# What's new in Windows 10 Enterprise 2016 LTSC
+
+**Applies to**
+- Windows 10 Enterprise 2016 LTSC
+
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
+
+>[!NOTE]
+>Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607.
+
+## Deployment
+
+### Windows Imaging and Configuration Designer (ICD)
+
+In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
+
+Windows ICD now includes simplified workflows for creating provisioning packages:
+
+- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)
+- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates)
+- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain)
+
+[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
+
+### Windows Upgrade Readiness
+
+>[!IMPORTANT]
+>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release.
+
+Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
+
+With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+
+Use Upgrade Readiness to get:
+
+- A visual workflow that guides you from pilot to production
+- Detailed computer and application inventory
+- Powerful computer level search and drill-downs
+- Guidance and insights into application and driver compatibility issues, with suggested fixes
+- Data driven application rationalization tools
+- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+- Data export to commonly used software deployment tools
+
+The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready.
+
+[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
+
+## Security
+
+### Credential Guard and Device Guard
+
+Isolated User Mode is now included with Hyper-V so you don't have to install it separately.
+
+### Windows Hello for Business
+
+When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+
+Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC:
+
+- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
+- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
+- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**.
+
+
+[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification)
+
+### BitLocker
+
+#### New BitLocker features
+
+- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
+ It provides the following benefits:
+ - The algorithm is FIPS-compliant.
+ - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
+ >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
+
+### Security auditing
+
+#### New Security auditing features
+
+- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices.
+
+### Trusted Platform Module
+
+#### New TPM features
+
+- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
+
+### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP)
+
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+
+Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
+
+- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy)
+- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip)
+
+[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip)
+
+### Windows Defender
+
+Several new features and management options have been added to Windows Defender in this version of Windows 10.
+
+- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
+- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans.
+- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
+- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal.
+- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus).
+- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times.
+
+### Windows Defender Advanced Threat Protection (ATP)
+
+With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
+
+[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+
+### VPN security
+
+- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
+- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
+- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
+- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
+
+## Management
+
+### Use Remote Desktop Connection for PCs joined to Azure Active Directory
+
+From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc)
+
+### Taskbar configuration
+
+Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies)
+
+### Mobile device management and configuration service providers (CSPs)
+
+Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607).
+
+### Shared PC mode
+
+This version of Windows 10, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc)
+
+### Application Virtualization (App-V) for Windows 10
+
+Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally.
+
+With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
+
+[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started)
+
+### User Experience Virtualization (UE-V) for Windows 10
+
+Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options.
+
+With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
+
+With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
+
+[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows)
+
+## See Also
+
+[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
+
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 4c6f69c1a2..d409feafd2 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -70,10 +70,6 @@ But these protections can also be configured separately. And, unlike HVCI, code
### Next-gen protection
-#### Office 365 Ransomware Detection
-
-For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
-
### Endpoint detection and response
Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal.
@@ -417,7 +413,7 @@ If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.micro
### Co-management
-Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
@@ -482,7 +478,7 @@ You can now register your Azure AD domains to the Windows Insider Program. For m
### Optimize update delivery
-With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
>[!NOTE]
> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index 0ca95a49ea..e49c027a4d 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -42,9 +42,9 @@ With Windows 10, you can create provisioning packages that let you quickly and e
[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
-### Bitlocker
+### BitLocker
-#### New Bitlocker features in Windows 10, version 1511
+#### New BitLocker features in Windows 10, version 1511
- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
It provides the following benefits:
@@ -54,7 +54,7 @@ With Windows 10, you can create provisioning packages that let you quickly and e
>[!NOTE]
>Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
-#### New Bitlocker features in Windows 10, version 1507
+#### New BitLocker features in Windows 10, version 1507
@@ -280,7 +280,7 @@ Enterprises have the following identity and management choices.
|---|---|
| Identity | Active Directory; Azure AD |
| Grouping | Domain join; Workgroup; Azure AD join |
-| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
+| Device management | Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
**Note:** With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512).
@@ -326,9 +326,9 @@ By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279
- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.
-- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281).
+- **Use with existing tools** such as Microsoft Endpoint Configuration Manager and the [Enterprise Mobility Suite](https://docs.microsoft.com/enterprise-mobility-security).
-Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx).
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr).
Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 71c7f06847..1a4c0d57c0 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -195,7 +195,7 @@ We recently added the option to download Windows 10 Insider Preview builds using
### Optimize update delivery
-With changes delivered in Windows 10, version 1703, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+With changes delivered in Windows 10, version 1703, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
>[!NOTE]
> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index e13290b34f..051d5d4b6e 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -134,7 +134,7 @@ Portions of the work done during the offline phases of a Windows update have bee
### Co-management
-**Intune** and **System Center Configuration Manager** policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+**Intune** and **Microsoft Endpoint Configuration Manager** policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 45feb23e75..f13c8d694c 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -53,7 +53,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update
## Servicing
-- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon!
+- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index a9384caf8b..89e6ad37a5 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -32,7 +32,7 @@ If you are updating from an older version of Windows 10 (version 1809 or earlier
### Windows Server Update Services (WSUS)
-Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. System Center Configuration Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054).
+Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Endpoint Configuration Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054).
The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903.
-
-5. Click **OK**.
-6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
-
- ```
- cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
-
- abortpxe.com
- bootmgfw.efi
- bootmgr.exe
- pxeboot.com
- pxeboot.n12
- wdsmgfw.efi
- wdsnbp.com
- ```
- >If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
- >You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
-
- ```
- Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
- ```
-
- The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
-
- Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
-
- Once the files are present in the REMINST share location, you can close the cmtrace tool.
-
-### Create a branding image file
-
-1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image.
-2. Type the following command at an elevated Windows PowerShell prompt:
-
- ```
- copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp"
- ```
- >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
-
-
-### Create a boot image for Configuration Manager
-
-1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
-2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
- - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later.
-3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**.
-4. On the Options page, under **Platform** choose **x64**, and click **Next**.
-5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**.
-6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image.
-7. Click **Finish**.
-8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**.
-9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**.
-10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
- ```
-
- In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
-
- ```
- STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
- ```
-
-11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
-12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
-13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
-14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
-
- ```
- cmd /c dir /s /b C:\RemoteInstall\SMSImages
-
- C:\RemoteInstall\SMSImages\PS100004
- C:\RemoteInstall\SMSImages\PS100005
- C:\RemoteInstall\SMSImages\PS100006
- C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim
- C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim
- C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim
- ```
-
- >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT.
-
-### Create a Windows 10 reference image
-
-If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section.
-
-1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
-
- ```
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
- ```
-2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
-
-3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
-
-4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
-
-5. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTBuildLab**](../images/UR-lift-report.jpg){kind=link}
](../images/ua-cg-15.png){kind=link}