Merge remote-tracking branch 'refs/remotes/origin/master' into live

2025-06-18 11:53:37 +00:00 · 2016-08-12 09:55:27 -07:00
parent 7fe02b7965 7a53b06ec6
commit 8ba3a64529
21 changed files with 102 additions and 112 deletions
--- a/windows/breadcrumb/toc.yml
+++ b/windows/breadcrumb/toc.yml
@ -0,0 +1,19 @@
 - name: Windows
  tocHref: /itpro/windows/
  topicHref: /itpro/windows/index
  items:
  - name: What's new
    tocHref: /itpro/windows/whats-new/
    topicHref: /itpro/windows/whats-new/index
  - name: Plan
    tocHref: /itpro/windows/plan/
    topicHref: /itpro/windows/plan/index
  - name: Deploy
    tocHref: /itpro/windows/deploy/
    topicHref: /itpro/windows/deploy/index
  - name: Keep secure
    tocHref: /itpro/windows/keep-secure/
    topicHref: /itpro/windows/keep-secure/index
  - name: Manage
    tocHref: /itpro/windows/manage/
    topicHref: /itpro/windows/manage/index
--- a/windows/docfx.json
+++ b/windows/docfx.json
@ -3,7 +3,7 @@
    "content":
      [
        {
-          "files": ["**/**.md"],
+          "files": ["**/**.md", "**/**.yml"],
          "exclude": ["**/obj/**"]
        }
      ],
@ -14,7 +14,8 @@
        }
    ],
    "globalMetadata": {
-        "ROBOTS": "INDEX, FOLLOW"
+        "ROBOTS": "INDEX, FOLLOW",
        "breadcrumb_path": "/itpro/windows/breadcrumb/toc.json"
    },
    "externalReference": [
    ],
--- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
@ -22,10 +22,7 @@ Hardware-based security features, also called virtualization-based security or V
 3.  **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
-4.  **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following sections in this topic:
+4.  **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs), later in this topic. 
    - [Enable Unified Extensible Firmware Interface Secure Boot](#enable-unified-extensible-firmware-interface-secure-boot)
    - [Enable virtualization-based security for kernel-mode code integrity](#enable-virtualization-based-security-for-kernel-mode-code-integrity)
 For information about enabling Credential Guard, see [Protect derived domain credentials with Credential Guard](credential-guard.md).
@ -45,15 +42,19 @@ Hyper-V Hypervisor and Isolated User Mode (not shown).
 Figure 1. Enable operating system feature for VBS
-After you enable the feature or features, you can configure any additional hardware-based security features you want. The following sections provide more information:
+After you enable the feature or features, you can enable VBS for Device Guard, as described in the following sections.
 - [Enable Unified Extensible Firmware Interface Secure Boot](#enable-unified-extensible-firmware-interface-secure-boot)
 - [Enable virtualization-based security for kernel-mode code integrity](#enable-virtualization-based-security-for-kernel-mode-code-integrity)
-## Enable Unified Extensible Firmware Interface Secure Boot
+## Enable Virtualization Based Security (VBS)
-Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10.
+Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
-> **Important**&nbsp;&nbsp;Secure boot settings include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you simply choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.<br>In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.<br>For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+There are multiple ways to configure VBS features for Device Guard. You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic, or you can use the following procedures, either to configure the appropriate registry keys manually or to use Group Policy.
 > **Important**&nbsp;&nbsp;
 > - The settings in the following procedure include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you simply choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.<br>In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can still have code integrity policies enabled.<br>For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).<br>
 > - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
 **To configure VBS manually**
 1.  Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
@ -65,13 +66,19 @@ Before you begin this process, verify that the target device meets the hardware
    | ---------------- | ---------------- |
    | **1** enables the **Secure Boot** option<br>**3** enables the **Secure Boot and DMA protection** option | **1** enables the **Secure Boot** option<br>**2** enables the **Secure Boot and DMA protection** option |
-4.  Restart the client computer.
+4. With a supported operating system earlier than Windows 10, version 1607, or Windows Server 2016, skip this step, and remain in the same registry subkey.
-Unfortunately, it would be time consuming to perform these steps manually on every protected computer in your enterprise. Group Policy offers a much simpler way to deploy UEFI Secure Boot to your organization. This example creates a test organizational unit (OU) called *DG Enabled PCs*. If you want, you can instead link the policy to an existing OU, and then scope the GPO by using appropriately named computer security groups.
+    With Windows 10, version 1607, or Windows Server 2016, navigate to **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios**.
-> **Note**&nbsp;&nbsp;We recommend that you test-enable this feature on a group of test computers before you deploy it to users' computers.
+5. Set the **HypervisorEnforcedCodeIntegrity DWORD** value to **1**.
-### Use Group Policy to deploy Secure Boot
+6.  Restart the client computer.
 Unfortunately, it would be time consuming to perform these steps manually on every protected computer in your enterprise. Group Policy offers a much simpler way to deploy these features to your organization. This example creates a test organizational unit (OU) called *DG Enabled PCs*. If you want, you can instead link the policy to an existing OU, and then scope the GPO by using appropriately named computer security groups.
 > **Note**&nbsp;&nbsp;We recommend that you test-enable these features on a group of test computers before you enable them on users' computers. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail.
 ### Use Group Policy to enable VBS
 1.  To create a new GPO, right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
@ -79,7 +86,7 @@ Unfortunately, it would be time consuming to perform these steps manually on eve
    Figure 2. Create a new OU-linked GPO
-2.  Give the new GPO a name, for example, **Contoso Secure Boot GPO Test**, or any name you prefer. Ideally, the name will align with your existing GPO naming convention.
+2.  Give the new GPO a name, for example, **Contoso VBS settings GPO Test**, or any name you prefer. Ideally, the name will align with your existing GPO naming convention.
 3.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
@ -89,77 +96,32 @@ Unfortunately, it would be time consuming to perform these steps manually on eve
    Figure 3. Enable VBS
-5.  Select the **Enabled** button, and then select a secure boot option, such as **Secure Boot**, from the **Select Platform Security Level** list.
+5.  Select the **Enabled** button, and then choose a secure boot option, such as **Secure Boot**, from the **Select Platform Security Level** list.
    ![Group Policy, Turn On Virtualization Based Security](images/device-guard-gp.png)
-    Figure 4. Enable Secure Boot (in Windows 10, version 1607)
+    Figure 4. Configure VBS, Secure Boot setting (in Windows 10, version 1607)
-    > **Important**&nbsp;&nbsp;Secure boot settings include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.<br>In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.<br>For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+    > **Important**&nbsp;&nbsp;These settings include **Secure Boot** and **Secure Boot with DMA**. In most situations we recommend that you choose **Secure Boot**. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.<br>In contrast, with **Secure Boot with DMA**, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.<br>For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
-6.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. After you configure this setting, UEFI Secure Boot will be enabled upon restart.
+6. For **Virtualization Based Protection of Code Integrity**, select the appropriate option:
-7.  Check the test computer’s event log for Device Guard GPOs.
+    - With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:<br>For an initial deployment or test deployment, we recommend **Enabled without lock**.<br>When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
    Processed Device Guard policies are logged in event viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational**. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
 ## Enable virtualization-based security for kernel-mode code integrity
 Before you begin this process, verify that the desired computer meets the hardware requirements for VBS found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), and enable the Windows features discussed in the [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security) section. When validated, you can enable virtualization-based protection of KMCI in one of two ways: manual configuration of the appropriate registry subkeys and Group Policy deployment.
 > **Note**&nbsp;&nbsp;All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable this feature on a group of test computers before you enable it on users' computers.
 **To configure virtualization-based protection of KMCI manually:**
 1.  Navigate to the appropriate registry subkey: 
    - With Windows 10, version 1607, or Windows Server 2016:<br>**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios**
    - With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br>**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard**
 2.  Set the **HypervisorEnforcedCodeIntegrity DWORD** value to **1**.
 3.  Restart the client computer.
 It would be time consuming to perform these steps manually on every protected computer in your enterprise. Instead, use Group Policy to deploy virtualization-based protection of KMCI. This example creates a test OU called *DG Enabled PCs*, which you will use to link the GPO. If you prefer to link the policy to an existing OU rather than create a test OU and scope the policy by using appropriately named computer security groups, that is another option.
 > **Note**&nbsp;&nbsp;We recommend that you test-enable this feature on a group of test computers before you deploy it to users' computers. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail.
 ### Use Group Policy to configure VBS of KMCI
 1.  Create a new GPO: Right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
    ![Group Policy Management, create a GPO](images/dg-fig5-createnewou.png)
    Figure 5. Create a new OU-linked GPO
 2.  Give the new GPO a name, for example, **Contoso VBS CI Protection GPO Test**, or any name you prefer. Ideally, the name will align with your existing GPO naming convention.
 3.  Open the Group Policy Management Editor: Right-click the new GPO, and then click **Edit**.
 4.  Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
    ![Edit the group policy for Virtualization Based Security](images/dg-fig6-enablevbs.png)
    Figure 6. Enable VBS
 5.  Select the **Enabled** button, and then for **Virtualization Based Protection of Code Integrity**, select the appropriate option:
    - With Windows 10, version 1607 or Windows Server 2016, choose an enabled option:<br>For an initial deployment or test deployment, we recommend **Enabled without lock**.<br>When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
    - With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br>Select the **Enable Virtualization Based Protection of Code Integrity** check box.
    ![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png)
-    Figure 7. Enable VBS of KMCI (in Windows 10, version 1607)
+    Figure 5. Configure VBS, Lock setting (in Windows 10, version 1607)
-6.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. With this setting configured, the VBS of the KMCI will take effect upon restart.
+7.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. The settings will take effect upon restart.
-7.  Check the test client event log for Device Guard GPOs.
+8.  Check the test computer’s event log for Device Guard GPOs.
-    Processed Device Guard policies are logged in event viewer under **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational**. When the **Turn On Virtualization Based Security** policy has been successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
+    Processed Device Guard policies are logged in event viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational**. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
-**Validate enabled Device Guard hardware-based security features**
+
 ### Validate enabled Device Guard hardware-based security features
 Windows 10 and Windows Server 2016 and later have a WMI class for Device Guard–related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
@ -260,11 +222,11 @@ Table 1. Win32\_DeviceGuard properties
 </tbody>
 </table>
-Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 8.
+Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 6.
 ![Device Guard properties in the System Summary](images/dg-fig11-dgproperties.png)
-Figure 8. Device Guard properties in the System Summary
+Figure 6. Device Guard properties in the System Summary
 ## Related topics
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@ -38,7 +38,7 @@
 ## [Application development for Windows as a service](application-development-for-windows-as-a-service.md)
 ## [Application Virtualization (App-V) for Windows](appv-for-windows.md)
 ### [Getting Started with App-V](appv-getting-started.md)
-#### [About App-V](appv-about-appv.md)
+#### [What's new in App-V](appv-about-appv.md)
 ##### [Release Notes for App-V](appv-release-notes-for-appv-for-windows.md)
 #### [Evaluating App-V](appv-evaluating-appv.md)
 #### [High Level Architecture for App-V](appv-high-level-architecture.md)
--- a/windows/manage/appv-about-appv.md
+++ b/windows/manage/appv-about-appv.md
@ -90,7 +90,7 @@ Complete the following steps to upgrade each component of the App-V infrastructu
 </tr>
 <tr class="even">
 <td align="left"><p>SQL scripts</p></td>
-<td align="left"><p>Follow the steps in [How to Deploy the App-V Databases by Using SQL Scripts](https://technet.microsoft.com/en-us/itpro/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts).</p></td>
+<td align="left"><p>Follow the steps in [How to Deploy the App-V Databases by Using SQL Scripts](appv-deploy-appv-databases-with-sql-scripts.md).</p></td>
 </tr>
 </tbody>
 </table>
--- a/windows/manage/appv-application-publishing-and-client-interaction.md
+++ b/windows/manage/appv-application-publishing-and-client-interaction.md
@ -67,7 +67,7 @@ The Sequencer creates App-V packages and produces a virtualized application. The
-For information about sequencing, see [Application Virtualization Sequencing Guide](http://go.microsoft.com/fwlink/?LinkID=269810).
+For information about sequencing, see [How to Sequence a New Application with App-V](https://technet.microsoft.com/itpro/windows/manage/appv-sequence-a-new-application).
 ## What’s in the appv file?
@ -123,7 +123,7 @@ To change the default location of the package store during setup, see [Enable th
 ### Shared Content Store
-If the App-V Client is configured in Shared Content Store mode, no data is written to disk when a stream fault occurs, which means that the packages require minimal local disk space (publishing data). The use of less disk space is highly desirable in VDI environments, where local storage can be limited, and streaming the applications from a high performance network location (such as a SAN) is preferable. For more information on shared content store mode, see <http://go.microsoft.com/fwlink/p/?LinkId=392750>.
+If the App-V Client is configured in Shared Content Store mode, no data is written to disk when a stream fault occurs, which means that the packages require minimal local disk space (publishing data). The use of less disk space is highly desirable in VDI environments, where local storage can be limited, and streaming the applications from a high performance network location (such as a SAN) is preferable. For more information, see [Shared Content Store in Microsoft App-V 5.0 - Behind the Scenes](https://blogs.technet.microsoft.com/appv/2013/07/22/shared-content-store-in-microsoft-app-v-5-0-behind-the-scenes/).
 > [!NOTE]  
 > The machine and package store must be located on a local drive, even when you’re using Shared Content Store configurations for the App-V Client.
@ -600,7 +600,7 @@ This process will re-create both the local and network locations for AppData and
 In an App-V Full Infrastructure, after applications are sequenced they are managed and published to users or computers via the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are performed as a series of PowerShell commands initiated on the computer running the App-V Client.
-This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Configuration Manager 2012 visit: <http://go.microsoft.com/fwlink/?LinkId=392773>.
+This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Configuration Manager 2012, see [Integrating Virtual Application Management with App-V 5 and Configuration Manager 2012 SP1](https://www.microsoft.com/en-us/download/details.aspx?id=38177).
 The App-V application lifecycle tasks are triggered at user login (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured during setup of the client or post-setup with PowerShell commands. See [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md) or use Windows PowerShell:
@ -990,7 +990,7 @@ The App-V Client supports publishing applications with support for COM integrati
 App-V supports registering COM objects from the package to the local operating system with two process types: Out-of-process and in-process. Registering COM objects is accomplished with one or a combination of multiple modes of operation for a specific App-V package that includes off, Isolated, and Integrated. The integrated mode is configured for either the out-of-process or in-process type. Configuration of COM modes and types is accomplished with dynamic configuration files (deploymentconfig.xml or userconfig.xml).
-Details on App-V integration are available at: <http://go.microsoft.com/fwlink/?LinkId=392834>.
+For details on App-V integration, see [Microsoft Application Virtualization 5.0 Integration](https://blogs.technet.microsoft.com/appv/2013/01/03/microsoft-application-virtualization-5-0-integration).
 ### Software clients and application capabilities
@ -1059,7 +1059,7 @@ For situations where there is more than one application that could register the
 The AppPath extension point supports calling App-V applications directly from the operating system. This is typically accomplished from the Run or Start Screen, depending on the operating system, which enables administrators to provide access to App-V applications from operating system commands or scripts without calling the specific path to the executable. It therefore avoids modifying the system path environment variable on all systems, as it is accomplished during publishing.
-The AppPath extension point is configured either in the manifest or in the dynamic configuration files and is stored in the registry on the local machine during publishing for the user. For additional information on AppPath review: <http://go.microsoft.com/fwlink/?LinkId=392835>.
+The AppPath extension point is configured either in the manifest or in the dynamic configuration files and is stored in the registry on the local machine during publishing for the user. For additional information on AppPath review: [App Paths ? A Virtual Application Extension in App-V 5.0](https://blogs.technet.microsoft.com/virtualworld/2012/12/12/app-paths-a-virtual-application-extension-in-app-v-5-0/).
 ### Virtual application
--- a/windows/manage/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/manage/appv-deploying-microsoft-office-2010-wth-appv.md
@ -65,7 +65,7 @@ The following table shows the App-V versions, methods of Office package creation
 Sequencing Office 2010 is one of the main methods for creating an Office 2010 package on App-V. Microsoft has provided a detailed recipe through a Knowledge Base article. To create an Office 2010 package on App-V, refer to the following link for detailed instructions:
-[How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330676)
+[How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/en-us/kb/2830069)
 ## Creating Office 2010 App-V packages using package accelerators
@ -170,7 +170,7 @@ The following table provides a full list of supported integration points for Off
 </tr>
 <tr class="even">
 <td align="left"><p>Active X Controls:</p></td>
-<td align="left"><p>For more information on ActiveX controls, refer to [ActiveX Control API Reference](http://go.microsoft.com/fwlink/p/?LinkId=331361).</p></td>
+<td align="left"><p>For more information on ActiveX controls, refer to [ActiveX Control API Reference](https://msdn.microsoft.com/library/office/ms440037(v=office.14).aspx).</p></td>
 <td align="left"><p></p></td>
 </tr>
 <tr class="odd">
@ -268,19 +268,19 @@ The following table provides a full list of supported integration points for Off
 **Office 2013 App-V Packages Additional Resources**
-[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](http://go.microsoft.com/fwlink/p/?LinkId=330680)
+[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://support.microsoft.com/en-us/kb/2772509)
 **Office 2010 App-V Packages**
-[Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330681)
+[Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](https://www.microsoft.com/en-us/download/details.aspx?id=38399)
-[Known issues when you create or use an App-V 5.0 Office 2010 package](http://go.microsoft.com/fwlink/p/?LinkId=330682)
+[Known issues when you create or use an App-V 5.0 Office 2010 package](https://support.microsoft.com/en-us/kb/2828619)
-[How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330676)
+[How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/en-us/kb/2830069)
 **Connection Groups**
-[Deploying Connection Groups in Microsoft App-V v5](http://go.microsoft.com/fwlink/p/?LinkId=330683)
+[Deploying Connection Groups in Microsoft App-V v5](https://blogs.technet.microsoft.com/appv/2012/11/06/deploying-connection-groups-in-microsoft-app-v-v5/)
 [Managing Connection Groups](appv-managing-connection-groups.md)
--- a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
@ -46,7 +46,7 @@ Use the following table to get information about supported versions of Office an
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>[Planning for Using App-V with Office](appv-planning-for-using-appv-with-office.md#bkmk-office-vers-supp-appv)</p></td>
+<td align="left"><p>[Supported versions of Microsoft Office](appv-planning-for-using-appv-with-office.md#bkmk-office-vers-supp-appv)</p></td>
 <td align="left"><ul>
 <li><p>Supported versions of Office</p></li>
 <li><p>Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)</p></li>
@ -54,7 +54,7 @@ Use the following table to get information about supported versions of Office an
 </ul></td>
 </tr>
 <tr class="even">
-<td align="left"><p>[Planning for Using App-V with Office](appv-planning-for-using-appv-with-office.md#bkmk-plan-coexisting)</p></td>
+<td align="left"><p>[Planning for using App-V with coexisting versions of Office](appv-planning-for-using-appv-with-office.md#bkmk-plan-coexisting)</p></td>
 <td align="left"><p>Considerations for installing different versions of Office on the same computer</p></td>
 </tr>
 </tbody>
@ -860,19 +860,19 @@ The following table describes the requirements and options for deploying Visio 2
 [Office Deployment Tool for Click-to-Run](http://go.microsoft.com/fwlink/p/?LinkID=330672)
-[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](http://go.microsoft.com/fwlink/p/?LinkId=330680)
+[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://support.microsoft.com/en-us/kb/2772509)
 **Office 2010 App-V Packages**
-[Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330681)
+[Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](https://www.microsoft.com/en-us/download/details.aspx?id=38399)
-[Known issues when you create or use an App-V 5.0 Office 2010 package](http://go.microsoft.com/fwlink/p/?LinkId=330682)
+[Known issues when you create or use an App-V 5.0 Office 2010 package](https://support.microsoft.com/en-us/kb/2828619)
-[How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330676)
+[How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/en-us/kb/2830069)
 **Connection Groups**
-[Deploying Connection Groups in Microsoft App-V v5](http://go.microsoft.com/fwlink/p/?LinkId=330683)
+[Deploying Connection Groups in Microsoft App-V v5](https://blogs.technet.microsoft.com/appv/2012/11/06/deploying-connection-groups-in-microsoft-app-v-v5/)
 [Managing Connection Groups](appv-managing-connection-groups.md)
--- a/windows/manage/appv-deploying-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/manage/appv-deploying-packages-with-electronic-software-distribution-solutions.md
@ -14,7 +14,7 @@ ms.prod: w10
 You can deploy App-V packages using an Electronic Software Distribution (ESD) solution. For information about planning to deploy App-V packages with an ESD, see [Planning to Deploy App-V with an Electronic Software Distribution System](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md).
-To deploy App-V packages with Microsoft System Center 2012 Configuration Manager, see [Introduction to Application Management in Configuration Manager](http://go.microsoft.com/fwlink/?LinkId=281816)
+To deploy App-V packages with Microsoft System Center 2012 Configuration Manager, see [Introduction to Application Management in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682125.aspx#BKMK_Appv)
 ## How to deploy virtualized packages using an ESD
@ -38,7 +38,7 @@ Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-micros
 ## Other resources for using an ESD and App-V
-Use the following link for more information about [App-V and Citrix Integration](http://go.microsoft.com/fwlink/?LinkId=330294 ) (http://go.microsoft.com/fwlink/?LinkId=330294).
+Use the following link for more information about [App-V and Citrix Integration](https://www.microsoft.com/en-us/download/details.aspx?id=40885).
 [Operations for App-V](appv-operations.md)
--- a/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
@ -76,9 +76,9 @@ There might be cases when the administrator pre-loads some virtual applications
 The Sequencer is a tool that is used to convert standard applications into virtual packages for deployment to computers that run the App-V client. The Sequencer helps provide a simple and predictable conversion process with minimal changes to prior sequencing workflows. In addition, the Sequencer allows users to more easily configure applications to enable connections of virtualized applications.
-For a list of changes in the App-V Sequencer, see [About App-V](appv-about-appv.md).
+For a list of changes in the App-V Sequencer, see [What's new in App-V](appv-about-appv.md#bkmk-seqimprove).
-[How to Install the Sequencer](appv-install-the-sequencer.md)
+To deploy the sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).
 ## App-V Client and Sequencer logs
--- a/windows/manage/appv-deploying-the-appv-server.md
+++ b/windows/manage/appv-deploying-the-appv-server.md
@ -16,7 +16,7 @@ Applies to: Windows 10, version 1607
 You can install the Application Virtualization (App-V) server components using different deployment configurations, which are described in this topic. Before you install the server features, review the server section of [App-V Security Considerations](appv-security-considerations.md). 
-For information about deploying App-V for Windows 10, see [About App-V](appv-about-appv.md).
+For information about deploying App-V for Windows 10, see [What's new in App-V](appv-about-appv.md).
 >**Important**<br>Before you install and configure the App-V servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports. The installer does not modify firewall settings.
--- a/windows/manage/appv-for-windows.md
+++ b/windows/manage/appv-for-windows.md
@ -16,7 +16,7 @@ The topics in this section provide information and step-by-step procedures to he
 [Getting Started with App-V](appv-getting-started.md)  
- [About App-V](appv-about-appv.md)
+- [What's new in App-V](appv-about-appv.md)
 - [Evaluating App-V](appv-evaluating-appv.md)
 - [High Level Architecture for App-V](appv-high-level-architecture.md)
 - [Accessibility for App-V](appv-accessibility.md)
--- a/windows/manage/appv-getting-started.md
+++ b/windows/manage/appv-getting-started.md
@ -41,7 +41,7 @@ If you are new to this product, we recommend that you read the documentation tho
 ## Getting started with App-V
-   [About App-V](appv-about-appv.md)
+-   [What's new in App-V](appv-about-appv.md)
    Provides a high-level overview of App-V and how it can be used in your organization.
--- a/windows/manage/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/manage/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
@ -273,7 +273,7 @@ The pending task will run later, according to the following rules:
-For more information about pending tasks, see [About App-V 5.0 SP2](https://technet.microsoft.com/en-us/itpro/mdop/appv-v5/about-app-v-50-sp2.md#bkmk-pkg-upgr-pendg-tasks).
+For more information about pending tasks, see [Upgrading an in-use App-V package](appv-application-publishing-and-client-interaction.md#upgrading-an-in-use-app-v-package).
 **Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
--- a/windows/manage/appv-performance-guidance.md
+++ b/windows/manage/appv-performance-guidance.md
@ -20,9 +20,9 @@ You should read and understand the following information before reading this doc
 -   [Application Virtualization (App-V) overview](appv-for-windows.md)
-   [App-V 5 SP2 Application Publishing and Client Interaction](http://go.microsoft.com/fwlink/?LinkId=395206)
+-   [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
-   [Microsoft Application Virtualization Sequencing Guide](http://go.microsoft.com/fwlink/?LinkId=269953)
+-   [Microsoft Application Virtualization Sequencing Guide](https://www.microsoft.com/en-us/download/details.aspx?id=27760)
 **Note**  
 Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk **\*** review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
--- a/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
@ -19,7 +19,7 @@ Before you can use App-V, you must install the App-V Sequencer, enable the App-V
 App-V uses a process called sequencing to create virtualized applications and application packages. Sequencing requires the use of a computer that runs the App-V Sequencer.
 > [!NOTE]  
-> For information about the new functionality of App-V sequencer, see the **Sequencer Improvements** section of [About App-V](appv-about-appv.md).
+> For information about the new functionality of App-V sequencer, see [What's new in App-V](appv-about-appv.md#bkmk-seqimprove).
 The computer that runs the App-V sequencer must meet the minimum system requirements. For a list of these requirements, see [App-V Supported Configurations](appv-supported-configurations.md).
--- a/windows/manage/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
+++ b/windows/manage/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
@ -10,7 +10,7 @@ ms.prod: w10
 # Planning to Deploy App-V with an electronic software distribution system
-If you are using an electronic software distribution system to deploy App-V packages, review the following planning considerations. For information about using System Center Configuration Manager to deploy App-V, see [Introduction to Application Management in Configuration Manager](http://go.microsoft.com/fwlink/?LinkId=281816).
+If you are using an electronic software distribution system to deploy App-V packages, review the following planning considerations. For information about using System Center Configuration Manager to deploy App-V, see [Introduction to Application Management in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682125.aspx#BKMK_Appv).
 Review the following component and architecture requirements options that apply when you use an ESD to deploy App-V packages:
--- a/windows/manage/appv-reporting.md
+++ b/windows/manage/appv-reporting.md
@ -31,7 +31,7 @@ The following list displays the end–to-end high-level workflow for reporting i
 2.  Install the App-V reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](appv-install-the-reporting-server-on-a-standalone-computer.md). Configure the time when the computer running the App-V client should send data to the reporting server.
-3.  If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at <http://go.microsoft.com/fwlink/?LinkId=397255>.
+3.  If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at [Application Virtualization SSRS Reports ](https://www.microsoft.com/en-us/download/details.aspx?id=42630).
    >**Note**  
    If you are using the Configuration Manager integration with App-V, most reports are generated from Configuration Manager rather than from App-V.
@ -286,7 +286,7 @@ To retrieve report information and create reports using App-V you must use one o
 -   **Microsoft SQL Server Reporting Services (SSRS)** - Microsoft SQL Server Reporting Services is available with Microsoft SQL Server. SSRS is not installed when you install the App-V reporting server. It must be deployed separately to generate the associated reports.
-    Use the following link for more information about using [Microsoft SQL Server Reporting Services](http://go.microsoft.com/fwlink/?LinkId=285596).
+    Use the following link for more information about using [Microsoft SQL Server Reporting Services](https://technet.microsoft.com/en-us/library/ms159106(v=sql.130).aspx).
 -   **Scripting** – You can generate reports by scripting directly against the App-V reporting database. For example:
--- a/windows/manage/configure-windows-10-taskbar.md
+++ b/windows/manage/configure-windows-10-taskbar.md
@ -175,7 +175,7 @@ If you only want to remove some of the default pinned apps, you would use this m
 ## Configure taskbar by country or region
-The following example shows you how to configure taskbars by country or region. When you specify one or more country or region in `<taskbar:TaskbarPinList>`, the pinned apps in that section are only pinned on computers that are configured for that country or region. When specifying taskbar configuration by country or region, the taskbar will concatenate pinlists together so long as the target computer meets the country or region requirements. If no country or region is specified for a `<TaskbarPinList>` node, it will apply to every country and region.
+The following example shows you how to configure taskbars by country or region. When you specify one or more country or region in `<taskbar:TaskbarPinList>`, the pinned apps in that section are only pinned on computers that are configured for that country or region. When specifying taskbar configuration by country or region, the taskbar will concatenate pinlists together so long as the target computer meets the country or region requirements. If no country or region is specified for a `<TaskbarPinList>` node, it will apply to every country and region, only if the country or region has not been defined prior. Unspecified country or region in  `<taskbar:TaskbarPinList>` will not merge with a `<taskbar:TaskbarPinList>` that has country or region specified.
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
--- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@ -273,7 +273,14 @@ To turn off font streaming, create a REG\_DWORD registry setting called **Disabl
 ### <a href="" id="bkmk-previewbuilds"></a>6. Insider Preview builds
-To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
+To turn off Insider Preview builds for a released version of Windows 10:
 - Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds** &gt; **Toggle user control over Insider builds**.
 To turn off Insider Preview builds for an Insider Preview version of Windows 10:
 > [!NOTE]  
 > If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
 -   Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**.
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@ -57,6 +57,7 @@ Windows 10, version 1607, provides administrators with increased control over up
 - Quality Updates can be deferred up to 30 days and paused for 35 days
 - Feature Updates can be deferred up to 180 days and paused for 60 days
 - Update deferrals can be applied to both Current Branch (CB) and Current Branch for Business (CBB)
 - Drivers can be excluded from udpates
 ## Security
`@ -273,7 +273,7 @@ The pending task will run later, according to the following rules:`



	`For more information about pending tasks, see [About App-V 5.0 SP2](https://technet.microsoft.com/en-us/itpro/mdop/appv-v5/about-app-v-50-sp2.md#bkmk-pkg-upgr-pendg-tasks).`	`For more information about pending tasks, see [Upgrading an in-use App-V package](appv-application-publishing-and-client-interaction.md#upgrading-an-in-use-app-v-package).`

	`Have a suggestion for App-V? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). Got an App-V issue? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).`	`Have a suggestion for App-V? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). Got an App-V issue? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).`