Merge pull request #1302 from MicrosoftDocs/FromPrivateRepo

From private repo

browsers/edge/includes/allow-address-bar-suggestions-include.md

@@ -9,8 +9,8 @@
 
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled |0 |0 |Not allowed. Hides the Address bar drop-down functionality, which also disables the _Show search and site suggestions as I type_ toggle in Settings.  |![Most restricted value](../images/check-gn.png) |
-|Enabled or not configured **(default)** |1 |1 |Allowed. Shows the Address bar drop-down list and makes it available. | |
+|Disabled |0 |0 |Prevented/not allowed. Hide the Address bar drop-down functionality and disable the _Show search and site suggestions as I type_ toggle in Settings.  |![Most restricted value](../images/check-gn.png) |
+|Enabled or not configured **(default)** |1 |1 |Allowed. Show the Address bar drop-down list and make it available. | |
 ---
 
 ### ADMX info and settings
@@ -30,7 +30,7 @@
 #### Registry settings
 - **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ServiceUI 
 - **Value name:** ShowOneBox
-- **Value type:** REG_
+- **Value type:** REG_DWORD
 
 
 ### Related policies

browsers/edge/includes/allow-adobe-flash-include.md

@@ -8,8 +8,8 @@
 
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled |0 |0 |Prevented/not allowed. | |
-|Enabled<br>**(default)** |1 |1 |Allowed. | |
+|Disabled |0 |0 |Prevented/not allowed | |
+|Enabled<br>**(default)** |1 |1 |Allowed | |
 --- 
 
 ### ADMX info and settings

browsers/edge/includes/allow-clearing-browsing-data-include.md

@@ -8,8 +8,8 @@
 
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled or not configured<br>**(default)** |0 |0 |Prevented, but users can configure the _Clear browsing data_ option in Settings. | |
-|Enabled |1 |1 |Allowed |![Most restricted value](../images/check-gn.png) |
+|Disabled or not configured<br>**(default)** |0 |0 |Prevented/not allowed. Users can configure the _Clear browsing data_ option in Settings. | |
+|Enabled |1 |1 |Allowed. Clears the browsing data upon exit automatically. |![Most restricted value](../images/check-gn.png) |
 ---
 
 
@@ -30,6 +30,6 @@
 #### *Registry
 - **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Privacy
 - **Value name:** ClearBrowsingHistoryOnExit
-- **Value type:** REG_DWORD</li></ul> 
+- **Value type:** REG_DWORD 
 
 <hr>

browsers/edge/includes/allow-config-updates-books-include.md

@@ -15,8 +15,8 @@
 ### ADMX info and settings
 
 #### ADMX info
-- **GP English name:** 
-- **GP name:** 
+- **GP English name:** Allow configuration updates for the Books Library
+- **GP name:** AllowConfigurationUpdateForBooksLibrary
 - **GP path:** Windows Components/Microsoft Edge
 - **GP ADMX file name:** MicrosoftEdge.admx
 
@@ -34,5 +34,5 @@
 ### Related topics
 
 [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-
+<p>
 <hr>

browsers/edge/includes/allow-cortana-include.md

@@ -8,21 +8,22 @@
 
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled |0 |0 |Prevented but users can still search to find items on their device. |![Most restricted value](../images/check-gn.png) |
+|Disabled |0 |0 |Prevented/not allowed. Users can still search to find items on their device. |![Most restricted value](../images/check-gn.png) |
 |Enabled<br>**(default)** |1 |1 |Allowed. | |
 ---
 
 ### ADMX info and settings
 
 #### ADMX info
-- **GP English name:** 
-- **GP name:** 
+- **GP English name:** Allow Cortana
+- **GP name:** AllowCortana
 - **GP path:** Windows Components/Microsoft Edge
 - **GP ADMX file name:** MicrosoftEdge.admx
 
 #### MDM settings 
 - **MDM name:** Experience/[AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana)
-- **Supported devices:** Mobile**URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana 
+- **Supported devices:** Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana 
 - **Data type:** Integer
  
 #### Registry settings 

browsers/edge/includes/allow-dev-tools-include.md

@@ -9,8 +9,8 @@
 
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled |0 |0 |Prevented/not allowed. |![Most restricted value](../images/check-gn.png) |
-|Enabled |1 |1 |Allowed. | |
+|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) |
+|Enabled |1 |1 |Allowed | |
 ---
 
 
@@ -23,7 +23,7 @@
 - **GP ADMX file name:**  MicrosoftEdge.admx
 
 #### MDM settings
-- **MDM name:** Browser/AllowDeveloperTools
+- **MDM name:** Browser/[AllowDeveloperTools](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools)
 - **Supported devices:** Desktop
 - **URI full Path:**	./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools
 - **Data type:** Integer

browsers/edge/includes/allow-enable-book-library-include.md

@@ -8,8 +8,8 @@
 
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled or not configured<br>**(default)** |0 |0 |Shows the Books Library only in countries or regions where supported. |![Most restricted value](../images/check-gn.png) |
-|Enabled |1 |1 |Shows the Books Library, regardless of the device’s country or region. | |
+|Disabled or not configured<br>**(default)** |0 |0 |Show the Books Library only in countries or regions where supported. |![Most restricted value](../images/check-gn.png) |
+|Enabled |1 |1 |Show the Books Library, regardless of the device’s country or region. | |
 ---
 ### ADMX info and settings
 

browsers/edge/includes/allow-ext-telemetry-books-tab-include.md

@@ -32,10 +32,4 @@
 - **Value type:** REG_DWORD
 
 
-### Scenario
-
-Due to current Privacy policy, the Books feature does not have the right to gather the book's unique identifier through regular events (because it could help to build a Reading history, which is not an explicit feature).
-
-For Schools that are one of the target of this feature of Edge, we will propose an advanced telemetry report to the Teachers. This advanced report system will require to have the ProductId in events so IT Admin will be able to enable the propagation from the user's device to Microsoft Telemetry servers of events that contain ProductId.
-
 <hr>

browsers/edge/includes/allow-extensions-include.md

@@ -6,15 +6,10 @@
 
 ### Allowed values
 
--	(0) Disabled - Prevented.
--	(1 default) Enabled – Allowed.
-
-Most restricted value: None### Allowed values
-
 |Group Policy  |MDM |Registry |Description |
 |---|:---:|:---:|---|
-|Disabled |0 |0 |Prevented/not allowed. | 
-|Enabled or not configured<br>**(default)** |1 |1 |Allowed. | 
+|Disabled |0 |0 |Prevented/not allowed | 
+|Enabled or not configured<br>**(default)** |1 |1 |Allowed | 
 ---
 
 ### ADMX info and settings

browsers/edge/includes/allow-inprivate-browsing-include.md

@@ -10,8 +10,8 @@
 
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled |0 |0 |Prevented/not allowed. |![Most restricted value](../images/check-gn.png) |
-|Enabled or not configured<br>**(default)** |1 |1 |Allowed. | |
+|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) |
+|Enabled or not configured<br>**(default)** |1 |1 |Allowed | |
 ---
 
 ### ADMX info and settings

browsers/edge/includes/allow-microsoft-compatibility-list-include.md

@@ -8,8 +8,8 @@
 
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled |0 |0 |Prevented/ignored. |![Most restricted value](../images/check-gn.png) |
-|Enabled or not configured<br>**(default)** |1 |1 |Allowed. | |
+|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) |
+|Enabled or not configured<br>**(default)** |1 |1 |Allowed | |
 ---
 
 ### ADMX info and settings

browsers/edge/includes/allow-search-engine-customization-include.md

@@ -8,46 +8,24 @@
 
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled |0 |0 |Prevented/not allowed. |![Most restricted value](../images/check-gn.png) |
-|Enabled or not configured<br>**(default)** |1 |1 |Allowed. | |
+|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) |
+|Enabled or not configured<br>**(default)** |1 |1 |Allowed | |
 ---
 
+
 ### Configuration combinations
 
 | **Set default search engine** | **Allow search engine customization** | **Configure additional search engines** | **Outcome** |
 | --- | --- | --- | --- |
 | Not configured (default) | Disabled | Disabled or not configured (default) | Default search engine specified in App settings. Users cannot make changes. |
 | Not configured (default) | Enabled or not configured (default) | Disabled or not configured (default) | Default search engine specified in App settings. Users can make changes to the default search engine at any time. |
-| Not configured (default) | Disabled | Enabled | ??? |
-| Not configured (default) | Enabled or not configured (default) | Enabled | ??? |
 | Disabled | Disabled | Disabled or not configured (default) | Users cannot add, remove, or change any of the search engines, but they can set a default search engine. |
 | Disabled | Enabled or not configured (default) | Disabled or not configured (default) | Users can add new search engines or change the default search engine, in Settings. |
 | Enabled | Disabled | Disabled or not configured (default) | Set the default search engine preventing users from making changes. |
 | Enabled | Enabled or not configured (default) | Disabled or not configured (default) | Set the default search engine and allow users to add search engines or make changes. |
+---
 
-#### If you want to use the default search engine in Apps settings and prevent users from making changes.
-
-
-#### If you want to use the default search engine in Apps setting and let users make changes.
-
-
-#### ???
-
-
-#### ???
-
-
-#### If you don't want users to add, remove, or change any of the search engines, but users can set a default search engine of their own.
-
-
-#### If you want users to add new search engines or change the default in Settings.
-
-
-#### If you want to set the default search engine and prevent users from making changes.  
-
-
-#### If you want to set the default search engine and let users make changes. 
-
+![Set default search engine](../images/set-default-search-engine.png)
 
 
 ### ADMX info and settings

browsers/edge/includes/allow-sideloading-extensions-include.md

@@ -8,7 +8,7 @@
 
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled or not configured |0 |0 |Prevented, but does not prevent sideloading of extensions using Add-AppxPackage via PowerShell.<p>To prevent this, enable **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** policy, located at Computer Configuration \> Administrative Templates \> Windows Components \> App Package Deployment. For the MDM setting, enable **ApplicationManagement/AllowDeveloperUnlock**. |![Most restricted value](../images/check-gn.png) |
+|Disabled or not configured |0 |0 |Prevented/not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, enable **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** policy, located at Windows Components > App Package Deployment.<p>For the MDM setting, enable **ApplicationManagement/AllowDeveloperUnlock**. |![Most restricted value](../images/check-gn.png) |
 |Enabled<br>**(default)** |1 |1 |Allowed. | |
 ---
 
@@ -22,18 +22,18 @@
 
 #### MDM settings
 - **MDM name:** Browser/[AllowSideloadingExtensions](../new-policies.md#allow-sideloading-of-extensions)
-- **Supported devices:** Desktop and Mobile
+- **Supported devices:** Desktop 
 - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSideloadingExtensions 
 - **Data type:** Integer
 
 #### Registry settings
 - **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Extensions 
 - **Value name:** AllowSideloadingOfExtensions
-- **Value type:** REG_SZ
+- **Value type:** REG_DWORD
 
 ### Related policies
 
-- Allows development of Windows Store apps and installing them from an integrated development environment (IDE): When you enable this policy and the Allow all trusted apps to install policy, you allow users to develop Windows Store apps and install them directly from an IDE.
+- Allows development of Windows Store apps and installing them from an integrated development environment (IDE): When you enable this policy and the **Allow all trusted apps to install** policy, you allow users to develop Windows Store apps and install them directly from an IDE.
 
 - Allow all trusted apps to install: When you enable this policy, you can manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps.
 

browsers/edge/includes/allow-tab-preloading-include.md

@@ -1,6 +1,6 @@
 <!-- ## Allow Start and New Tab page preload (aka: AllowStartAndNewTabPagePreload) 
 >*Supported versions: Microsoft Edge on Windows 10, version 1802*<br> -->
->*Default setting:  Enabled or not configured (Allow preloading)*
+>*Default setting:  Enabled or not configured (Allowed)*
 
 [!INCLUDE [allow-tab-preloading-shortdesc](../shortdesc/allow-tab-preloading-shortdesc.md)]
 
@@ -9,7 +9,7 @@
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
 |Enabled or not configured<br>**(default)** |0 |0 |Allowed. Preload Start and New tab pages. | |
-|Disabled |1 |1 |Prevent/not allowed. |![Most restricted value](../images/check-gn.png) |
+|Disabled |1 |1 |Prevented/not allowed. |![Most restricted value](../images/check-gn.png) |
 ---
 
 ### ADMX info and settings

browsers/edge/includes/allow-web-content-new-tab-page-include.md

@@ -8,11 +8,11 @@
 
 ### Allowed values
 
-|Group Policy  |MDM |Registry |Description |Most restricted |
-|---|:---:|:---:|---|:---:|
-|Not configured |Blank |Blank |Users can choose what loads in the New tab page. | |
-|Disabled |0 |0 |Load a blank page instead of the default New tab page and prevents users from changing it. | |
-|Enabled **(default)** |1 |1 |Load the default New tab page. | |
+|Group Policy  |MDM |Registry |Description |
+|---|:---:|:---:|---|
+|Not configured |Blank |Blank |Users can choose what loads on the New tab page. | 
+|Disabled |0 |0 |Load a blank page instead of the default New tab page and prevents users from changing it. | 
+|Enabled **(default)** |1 |1 |Load the default New tab page. | 
 ---
 
 ### ADMX info and settings

browsers/edge/includes/always-enable-book-library-include.md

@@ -9,8 +9,8 @@
 
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled or not configured<br>**(default)** |0 |0 |Shows the Books Library only in countries or regions where supported. |![Most restricted value](../images/check-gn.png) |
-|Enabled |1 |1 |Shows the Books Library, regardless of the device’s country or region. | |
+|Disabled or not configured<br>**(default)** |0 |0 |Show the Books Library only in countries or regions where supported. |![Most restricted value](../images/check-gn.png) |
+|Enabled |1 |1 |Show the Books Library, regardless of the device’s country or region. | |
 ---
 
 ### ADMX info and settings

browsers/edge/includes/configure-additional-search-engines-include.md

@@ -1,6 +1,6 @@
 <!-- ## Configure additional search engines -->
 >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*<br>
->*Default setting:  Disabled or not configured (Not allowed)*
+>*Default setting:  Disabled or not configured (Prevented/Not allowed)*
 
 [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)]
 
@@ -8,46 +8,25 @@
 
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled or not configured<br>**(default)** |0 |0 |If you don't configure this policy, Microsoft Edge uses the search engine specified in App settings.<p>If you enabled this policy and now you want to disable it, disabling removes all configured search engines.|![Most restricted value](../images/check-gn.png) |
-|Enabled |1 |1 |Add up to five additional search engines and set any one of them as the default.<p>For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine.  For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/).  | |
+|Disabled or not configured<br>**(default)** |0 |0 Prevented/not allowed. Microsoft Edge uses the search engine specified in App settings.<p>If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. |![Most restricted value](../images/check-gn.png) |
+|Enabled |1 |1 |Allowed. Add up to five additional search engines and set any one of them as the default.
+For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/).  | |
 ---
 
+
 ### Configuration combinations
 
 | **Set default search engine** | **Allow search engine customization** | **Configure additional search engines** | **Outcome** |
 | --- | --- | --- | --- |
 | Not configured (default) | Disabled | Disabled or not configured (default) | Default search engine specified in App settings. Users cannot make changes. |
 | Not configured (default) | Enabled or not configured (default) | Disabled or not configured (default) | Default search engine specified in App settings. Users can make changes to the default search engine at any time. |
-| Not configured (default) | Disabled | Enabled | ??? |
-| Not configured (default) | Enabled or not configured (default) | Enabled | ??? |
 | Disabled | Disabled | Disabled or not configured (default) | Users cannot add, remove, or change any of the search engines, but they can set a default search engine. |
 | Disabled | Enabled or not configured (default) | Disabled or not configured (default) | Users can add new search engines or change the default search engine, in Settings. |
 | Enabled | Disabled | Disabled or not configured (default) | Set the default search engine preventing users from making changes. |
 | Enabled | Enabled or not configured (default) | Disabled or not configured (default) | Set the default search engine and allow users to add search engines or make changes. |
+---
 
-#### If you want to use the default search engine in Apps settings and prevent users from making changes.
-
-
-#### If you want to use the default search engine in Apps setting and let users make changes.
-
-
-#### ???
-
-
-#### ???
-
-
-#### If you don't want users to add, remove, or change any of the search engines, but users can set a default search engine of their own.
-
-
-#### If you want users to add new search engines or change the default in Settings.
-
-
-#### If you want to set the default search engine and prevent users from making changes.  
-
-
-#### If you want to set the default search engine and let users make changes. 
-
+![Set default search engine](../images/set-default-search-engine.png)
 
 
 ### ADMX info and settings

browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md

@@ -8,7 +8,7 @@ You must set the Configure kiosk mode policy to enabled (1 - InPrivate public br
 
 ### Allowed values
 
--   **0-1440 - Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds.
+-   **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds.
 
 -   **0** – No idle timer.
 

browsers/edge/includes/configure-favorites-bar-include.md

@@ -8,11 +8,11 @@
 
 ### Allowed values
 
-|Group Policy  |MDM |Registry |Description |Most restricted |
-|---|:---:|:---:|---|:---:|
-|Not configured<br>**(default)** |Blank |Blank |Hide the favorites bar but show it on the Start and New tab pages. The favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. | |
-|Disabled |0 |0 |Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | |
-|Enabled |1 |1 |Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | |
+|Group Policy  |MDM |Registry |Description |
+|---|:---:|:---:|---|
+|Not configured<br>**(default)** |Blank |Blank |Hide the favorites bar but show it on the Start and New tab pages. The favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. | 
+|Disabled |0 |0 |Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | 
+|Enabled |1 |1 |Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | 
 ---
 
 ### ADMX info and settings

browsers/edge/includes/configure-home-button-include.md

@@ -8,7 +8,7 @@
 ### Allowed values
 
 |Group Policy  |MDM |Registry |Description |
-|---|:---:|:---:|---|:---:|
+|---|:---:|:---:|---|
 |Disabled or not configured<br>**(default)** |0 |0 |Show the home button and load the Start page. |
 |Enabled |1 |1 |Show the home button and load the New tab page. |
 |Enabled |2 |2 |Show the home button and load the custom URL defined in the Set Home Button URL policy. |
@@ -40,7 +40,7 @@ With these values, you can do any of the following configurations:
 #### Registry settings
 - **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings 
 - **Value name:** ConfigureHomeButton
-- **Value type:** REG_SZ
+- **Value type:** REG_DWORD
 
 ### Related policies
 

browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md

@@ -11,8 +11,8 @@ For this policy to work, you must configure Microsoft Edge in assigned access; o
 
 | | |
 |---|---|
-|(0) Default or not configured |<ul><li>If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays.</li><li>If it’s one of many apps, Microsoft Edge runs as normal.</li></ul> |
-|(1) Enabled |<ul><li>If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy.</li><li>If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge.</li></ul> |
+|(0) Default or not configured |<ul><li>If it’s a single app, Microsoft Edge runs InPrivate full screen for digital signage or interactive displays.</li><li>If it’s one of many apps, Microsoft Edge runs as normal.</li></ul> |
+|(1) Enabled |<ul><li>•	If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy.<p>**_For single-app public browsing_**: If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time.</li><li>If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge.</li></ul> |
 ---
 
 ![Microsoft Edge kiosk experience](../images/microsoft-edge-kiosk-mode.png)

browsers/edge/includes/configure-open-edge-with-include.md

@@ -12,7 +12,7 @@
 ### Allowed values
 
 |Group Policy  |MDM |Registry |Description |
-|---|---|---|---|
+|---|:---:|:---:|---|
 |Not configured |Blank |Blank |If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. |
 |Enabled |0 |0 |Loads the Start page. |
 |Enabled |1 |1 |Load the New tab page. |
@@ -35,74 +35,6 @@
 
 If you want to make changes to this policy:<ol><li>Set the Disabled Lockdown of Start Pages to not configured.</li><li>Make changes to the Configure Open Microsoft With policy.</li><li>Enable the Disabled Lockdown of Start Pages.</li></ol>
 
-#### Load URLs defined in the Configure Open Microsoft Edge With policy, and let users make changes.
-
-1. Enable the **Configure Open Microsoft Edge With** policy. Applies to all options for this policy. <p>
-
-2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:<p>\<support.contoso.com\>\<support.microsoft.com\>
-
-3. Enable the **Disabled Lockdown of Start Pages** policy by selecting *All configured start pages are editable*.
-
----
-
-#### Load any start page and let users make changes.
-
-1. Disable or don't configure the **Configure Open Microsoft Edge With** policy.
-
-2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets in the following format:<p> \<support.contoso.com\>\<support.microsoft.com\>
-
-3. Enable the **Disabled Lockdown of Start Pages** policy by selecting *Start pages are not editable*.
-
----
-
-#### Load Start page(s) and prevent users from making changes.
-
-1. Enable the **Configure Open Microsoft Edge With** policy by selecting *Start page*.<p>
-
-2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:<p>\<support.contoso.com\>\<support.microsoft.com\>
-
-3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
-
----
-
-#### Load New tab page and prevent users from making changes.
-
-1. Enable the **Configure Open Microsoft Edge With** policy by selecting *New tab page*.<p>
-
-2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:<p>\<support.contoso.com\>\<support.microsoft.com\>
-
-3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
-
----
-
-#### Load previously opened pages and prevent users from making changes.
-
-1. Enable the **Configure Open Microsoft Edge With** policy by selecting *Previous pages*.<p>
-
-2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:<p>\<support.contoso.com\>\<support.microsoft.com\>
-
-3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
-
----
-
-#### Load a specific page or pages and prevent users from making changes.
-
-1. Enable the **Configure Open Microsoft Edge With** policy by selecting *A specific page or pages*.<p>
-
-2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:<p>\<support.contoso.com\>\<support.microsoft.com\>
-
-3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
-
----
-
-#### Load a specific page or pages and let users make changes.
-
-1. Enable the **Configure Open Microsoft Edge With** policy by selecting *A specific page or pages*. <p>
-
-2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:<p>\<support.contoso.com\>\<support.microsoft.com\>
-
-3. Enable **Disabled Lockdown of Start Pages** by selecting *Start pages are not editable*.
-
 
 ### ADMX info and settings
 #### ADMX info

browsers/edge/includes/do-not-sync-browser-settings-include.md

@@ -6,10 +6,10 @@
 
 ### Allowed values
 
-|Group Policy  |MDM |Registry |Description |Most restricted |
-|---|:---:|:---:|---|:---:|
-|Disabled or not configured<br>**(default)** |0 |0 |Allowed/turned on. The “browser” group syncs automatically between user’s devices and lets users to make changes. | |
-|Enabled |2 |2 |Prevented/turned off.  The “browser” group does not use the Sync your Settings option. | |
+|Group Policy  |MDM |Registry |Description |
+|---|:---:|:---:|---|
+|Disabled or not configured<br>**(default)** |0 |0 |Allowed/turned on. The “browser” group syncs automatically between user’s devices and lets users to make changes. |
+|Enabled |2 |2 |Prevented/turned off.  The “browser” group does not use the Sync your Settings option. |
 ---
 
 ### Configuration options

browsers/edge/includes/prevent-turning-off-required-extensions-include.md

@@ -6,29 +6,29 @@
 
 ### Allowed values
 
-|Group Policy  |Description |Most restricted |
-|---|---|:---:|
-|Disabled or not configured<br>**(default)** |Provide a semi-colon delimited list of extension PFNs. For example, adding _Microsoft.OneNoteWebClipper8wekyb3d8bbwe_ or _Microsoft.OfficeOnline8wekyb3d8bbwe_ prevents a user from turning off the OneNote Web Clipper and Office Online extension. After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune. Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. | |
-|Enabled |Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored.  | |
+|Group Policy  |Description |
+|---|---|
+|Disabled or not configured<br>**(default)** |Provide a semi-colon delimited list of extension PFNs. For example, adding _Microsoft.OneNoteWebClipper8wekyb3d8bbwe_ or _Microsoft.OfficeOnline8wekyb3d8bbwe_ prevents a user from turning off the OneNote Web Clipper and Office Online extension. After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune. Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. | 
+|Enabled |Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored.  | 
 ---
 
 ### ADMX info and settings
 #### ADMX info
 - **GP English name:** Prevent turning off required extensions
-- **GP name:** ForceEnabledExtensions
+- **GP name:** PreventTurningOffRequiredExtensions
 - **GP path:** Windows Components/Microsoft Edge
 - **GP ADMX file name:** MicrosoftEdge.admx
 
 #### MDM settings
 - **MDM name:** Browser/[PreventTurningOffRequiredExtensions](../new-policies.md#prevent-turning-off-required-extensions)
-- **Supported devices:** Desktop and Mobile
+- **Supported devices:** Desktop 
 - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions 
-- **Data type:** Integer
+- **Data type:** String
 
 #### Registry settings
-- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\ 
+- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Extensions 
 - **Value name:** PreventTurningOffRequiredExtensions
-- **Value type:** REG_DWORD
+- **Value type:** REG_SZ
 
 ### Related policies
 [Allow Developer Tools](../available-policies.md#allow-developer-tools): [!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)]

browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md

@@ -6,10 +6,10 @@
 [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)]
 
 ### Allowed values
-|Group Policy  |MDM |Registry |Description |Most restricted |
-|---|:---:|:---:|---|:---:|
-|Disabled |0 |0 |Allowed/turned on. Users can sync the browser settings.  | |
-|Enabled or not configured<br>**(default)** |1 |1 |Prevented/turned off. | |
+|Group Policy  |MDM |Registry |Description |
+|---|:---:|:---:|---|
+|Disabled |0 |0 |Allowed/turned on. Users can sync the browser settings.  | 
+|Enabled or not configured<br>**(default)** |1 |1 |Prevented/turned off. | 
 ---
 
 ### Configuration options
@@ -30,15 +30,11 @@
 - **GP ADMX file name:** MicrosoftEdge.admx
 
 #### MDM settings
-- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing]()
+- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](../new-policies.md#prevent-users-from-turning-on-browser-syncing)
 - **Supported devices:** Desktop
 - **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing 
 - **Data type:** String
 
-#### Registry settings
-- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge 
-- **Value name:** 
-- **Value type:** 
 
 ### Related policies
 [Do not sync browser settings](../available-policies.md#do-not-sync-browser-settings): [!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)].

browsers/edge/includes/set-default-search-engine-include.md

@@ -19,35 +19,13 @@
 | --- | --- | --- | --- |
 | Not configured (default) | Disabled | Disabled or not configured (default) | Default search engine specified in App settings. Users cannot make changes. |
 | Not configured (default) | Enabled or not configured (default) | Disabled or not configured (default) | Default search engine specified in App settings. Users can make changes to the default search engine at any time. |
-| Not configured (default) | Disabled | Enabled | ??? |
-| Not configured (default) | Enabled or not configured (default) | Enabled | ??? |
 | Disabled | Disabled | Disabled or not configured (default) | Users cannot add, remove, or change any of the search engines, but they can set a default search engine. |
 | Disabled | Enabled or not configured (default) | Disabled or not configured (default) | Users can add new search engines or change the default search engine, in Settings. |
 | Enabled | Disabled | Disabled or not configured (default) | Set the default search engine preventing users from making changes. |
 | Enabled | Enabled or not configured (default) | Disabled or not configured (default) | Set the default search engine and allow users to add search engines or make changes. |
+---
 
-#### If you want to use the default search engine in Apps settings and prevent users from making changes.
-
-
-#### If you want to use the default search engine in Apps setting and let users make changes.
-
-
-#### ???
-
-
-#### ???
-
-
-#### If you don't want users to add, remove, or change any of the search engines, but users can set a default search engine of their own.
-
-
-#### If you want users to add new search engines or change the default in Settings.
-
-
-#### If you want to set the default search engine and prevent users from making changes.  
-
-
-#### If you want to set the default search engine and let users make changes. 
+![Set default search engine](../images/set-default-search-engine.png)
 
 
 ### ADMX info and settings

browsers/edge/includes/set-home-button-url-include.md

@@ -7,7 +7,7 @@
 ### Allowed values
 
 |Group Policy  |MDM |Registry |Description |
-|---|:---:|:---:|---|:---:|
+|---|:---:|:---:|---|
 |Disabled or not configured<br>**(default)** |Blank |Blank |Show the home button and loads the Start page and locks down the home button to prevent users from changing what page loads. |
 |Enabled - String |String |String |Enter a URL in string format, for example, https://www.msn.com. A custom URL loads when clicking the home button.  You must also enable the [Configure Home Button](../new-policies.md#configure-home-button) policy and select the _Show home button & set a specific page_ option.  |
 ---
@@ -44,7 +44,7 @@ Enable the **Configure Home Button** policy and select the _Hide home button_ op
 
 #### Registry settings
 - **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings
-- **Value name:** HomeButtonURL
+- **Value name:** ConfigureHomeButtonURL
 - **Value type:** REG_SZ
 
 ### Related policies

browsers/edge/includes/set-new-tab-url-include.md

@@ -7,9 +7,9 @@
 ### Allowed values
 
 |Group Policy  |MDM |Registry |Description |
-|---|:---:|:---:|---|:---:|
+|---|:---:|:---:|---|
 |Disabled or not configured<br>**(default)** |Blank |Blank |Load the default New tab page. |
-|Enabled - String |String |String |Enter a URL in string format, for example, https://www.msn.com.<p>Prevent users from changing the New tab page. |
+|Enabled - String |String |String |Prevent users from changing the New tab page.<p>Enter a URL in string format, for example, https://www.msn.com. |
 ---
 
 ### ADMX info and settings

browsers/edge/includes/show-message-opening-sites-ie-include.md

@@ -22,7 +22,7 @@
 - **GP ADMX file name:** MicrosoftEdge.admx
 
 #### MDM settings
-- **MDM name:** Browser/[ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer)
+- **MDM name:** Browser/[ShowMessageWhenOpeningSitesInInternetExplorer](../new-policies.md#show-message-when-opening-sites-in-internet-explorer)
 - **Supported devices:** Desktop
 - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer
 - **Data type:** Integer

browsers/edge/includes/unlock-home-button-include.md

@@ -6,10 +6,10 @@
 
 ### Allowed values
 
-|Group Policy  |MDM |Registry |Description |Most restricted |
-|---|:---:|:---:|---|:---:|
-|Disabled or not configured<br>**(default)** |0 |0 |Lock down the home button to prevent users from making changes. | |
-|Enabled |1 |1 |Let users make changes. | |
+|Group Policy  |MDM |Registry |Description |
+|---|:---:|:---:|---|
+|Disabled or not configured<br>**(default)** |0 |0 |Lock down the home button to prevent users from making changes. | 
+|Enabled |1 |1 |Let users make changes. | 
 ---
 
 ### ADMX info and settings

browsers/edge/microsoft-edge-kiosk-mode-deploy.md

@@ -15,17 +15,18 @@ ms.date: 07/18/2018
 >Applies to: Microsoft Edge on Windows 10 <br>
 >Preview build 17718
 
-Microsoft Edge kiosk mode works with assigned access to allow IT, administrators, to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
+Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
 
 When you configure Microsoft Edge kiosk mode in assigned access, you can set it up to show only a single URL in full-screen, in the case of digital/interactive signage on a single-app kiosk device. You can restrict Microsoft Edge for public browsing (on a single and multi-app kiosk device) which runs a multi-tab version of InPrivate with limited functionality. Also, you can configure a multi-app kiosk device to run a full or normal version of Microsoft Edge. 
 
-Digital/Interactive signage and public browsing protects the user’s data by running Microsoft Edge InPrivate. In single-app public browsing, there is both an idle timer and an 'End Session' button. The idle timer resets the browsing session after a specified time of user inactivity.
+Digital/Interactive signage and public browsing protects the user’s data by running Microsoft Edge InPrivate. In single-app public browsing, there is both an idle timer and an 'End Session' button. The idle timer resets the browsing session after a specified time of user inactivity.  
+
+In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn how to setup your Microsoft Edge kiosk mode experience.
 
-In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device.  You also learn how to setup your Microsoft Edge kiosk mode experience.
 
 
 ## Microsoft Edge kiosk types
-Microsoft Edge kiosk mode supports **four** types, depending on how a Microsoft Edge kiosk is set up in assigned access; single-app and multi-app kiosk.
+Microsoft Edge kiosk mode supports **four** types, depending on how Microsoft Edge is set up in assigned access; single-app or multi-app kiosk. Learn more about [assigned access](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/assigned-access).
 
 ### Single-app kiosk
 
@@ -33,9 +34,9 @@ When you set up Microsoft Edge kiosk mode in single-app assigned access, Microso
 
 The single-app Microsoft Edge kiosk mode types include:
 
-1. **Digital / Interactive signage** devices display a specific site in full-screen mode in which Microsoft Edge runs InPrivate mode. Examples of Digital signage are a rotating advertisement or menu. Examples of Interactive signage are an interactive museum display or restaurant order/pay station.
+1. **Digital / Interactive signage** devices display a specific site in full-screen mode in which Microsoft Edge runs InPrivate mode. Examples of Digital signage are a rotating advertisement or menu. Examples of Interactive signage are an interactive museum display and restaurant order/pay station.
 
-2. **Public browsing** devices run a limited multi-tab version of InPrivate and are the only app available. Users can’t minimize, close, or open new Microsoft Edge windows or customize Microsoft Edge. Users can clear browsing data, downloads and restart Microsoft Edge by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. An example usage of this mode is an information kiosk at a public library. 
+2. **Public browsing** devices run a limited multi-tab version of InPrivate and Microsoft Edge is the only app available. Users can’t minimize, close, or open new Microsoft Edge windows or customize Microsoft Edge. Users can clear browsing data, downloads and restart Microsoft Edge by clicking the “End session” button. You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. A public library or hotel concierge desk are two examples of public browsing in single-app kiosk device. 
 
     ![Public browsing Microsoft Edge kiosk mode on a single-app kiosk device](images/SingleApp_contosoHotel_inFrame.png)
 
@@ -44,34 +45,33 @@ When you set up Microsoft Edge kiosk mode in multi-app assigned access, Microsof
 
 The multi-app Microsoft Edge kiosk mode types include:
 
-3.  **Public browsing** (shared browsing) supports browsing the internet and runs InPrivate with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can, close and open multiple InPrivate windows. On a multi-app kiosk device, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access. You can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support automatically.  Examples of public browsing include an information kiosk device at a public library or hotel concierge desk that provides access to Microsoft Edge and another app(s).
+3.  **Public browsing** supports browsing the internet and runs InPrivate with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate windows. On a multi-app kiosk device, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access. You can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.  Examples of public browsing include an information kiosk device at a public library or hotel concierge desk that provides access to Microsoft Edge and other app(s).
 
     ![Public browsing Microsoft Edge kiosk mode on a multi-app kiosk device](images/Multi-app_kiosk_inFrame.png)
 
-4.  **Normal mode** runs a full version of Microsoft Edge, but some features may not work depending on what other apps you configured in assigned access. For example, if Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. 
+4.  **Normal mode** mode runs a full version of Microsoft Edge, but some features may not work depending on what other apps you configured in assigned access. For example, if Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. 
 
     ![Normal Microsoft Edge kiosk mode on a multi-app kiosk device](images/Normal_inFrame.png)
 
 ## Let’s get started!
-
 Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. You can set up Microsoft Edge kiosk mode in assigned access using:
 
--   **Windows Settings.** Best for physically setting up a single device as a kiosk. With this method, you set up assigned access and configure the kiosk or digital sign device using Settings.  You can configure Microsoft Edge in single-app (kiosk type – Full-screen or public browsing) and define a single URL for the Home Button, Start Page, and New Tab page. You can also set the reset after an idle timeout.
+-   **Windows Settings.** Best for physically setting up a single device as a kiosk. With this method, you set up assigned access and configure the kiosk or digital sign device using Settings.  You can configure Microsoft Edge in single-app (kiosk type – Full-screen or public browsing) and define a single URL for the Home button, Start page, and New tab page. You can also set the reset after an idle timeout.  
 
 -   **Microsoft Intune or other MDM service.** Best for setting up multiple devices as a kiosk. With this method, you configure Microsoft Edge in assigned access and configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access.
 
     >[!NOTE]
     >For other MDM service, check with your provider for instructions.
 
--   **Windows PowerShell.** Best for setting up multiple devices as a kiosk. With this method, you can set up single-app or multi-app assigned access in PowerShell. For details, see [Set up a kiosk or digital sign using Windows PowerShell](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-using-windows-powershell).
+-   **Windows PowerShell.** Best for setting up multiple devices as a kiosk. With this method, you can set up single-app or multi-app assigned access using a PowerShell script. For details, see For details, see [Set up a kiosk or digital sign using Windows PowerShell](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-using-windows-powershell). 
 
--   **Windows Configuration Designer.** Best for setting up multiple devices as a kiosk. Download and install both the latest version of the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and [Windows Configuration Manager](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd#install-windows-configuration-designer-1).
+-   **Windows Configuration Designer.** Best for setting up multiple kiosk devices. Download and install both the latest version of the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and [Windows Configuration Manager](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd#install-windows-configuration-designer-1).
 
 ### Prerequisites
 
 -   Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education).
 
--   Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer. With these methods, you must have the [AppUserModelID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app); this does not apply to the Windows Settings method.
+-   Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer.  With these methods, you must have the  [AppUserModelID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app); this does not apply to the Windows Settings method.
 
 ### Use Windows Settings 
 
@@ -104,7 +104,7 @@ Windows Settings is the simplest and easiest way to set up one or a couple of de
     >[!NOTE]
     >The URL sets the Home button, Start page, and New tab page.
 
-11.  Microsoft Edge in kiosk mode has a built-in timer to help keep data safe in public browsing sessions.<p>When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If **Continue** is not selected, Microsoft Edge resets to the default URL. You can accept the default value of **5 minutes,** or you can choose your own idle timer value.
+11.  11.	Microsoft Edge in kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If **Continue** is not selected, Microsoft Edge resets to the default URL. You can accept the default value of **5 minutes**, or you can choose your own idle timer value.
 
 12.  Select **Next**, and then select **Close**.
 
@@ -128,7 +128,7 @@ Windows Settings is the simplest and easiest way to set up one or a couple of de
 
 ### Use Microsoft Intune or other MDM service
 
-With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge in assigned access and how it behaves when it’s running in assigned access. 
+With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device.  
 
 1.  In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps.
 
@@ -138,12 +138,12 @@ With this method, you can use Microsoft Intune or other MDM services to configur
     |---|---|
     | **[ConfigureKioskMode](new-policies.md#configure-kiosk-mode)**<p>![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode<p>**Data type:**  Integer<p>**Allowed values:**<ul><li>**Single-app kiosk experience**<ul><li>**0** - Digital signage and interactive display</li><li>**1** - InPrivate Public browsing</li></ul></li><li>**Multi-app kiosk experience**<ul><li>**0** - Normal Microsoft Edge running in assigned access</li><li>**1** - InPrivate public browsing with other apps</li></ul></li></ul> |
     | **[ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)**<p>![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout<p>**Data type:** Integer<p>**Allowed values:**<ul><li>**0** - No idle timer</li><li>**1-1440 (5 minutes is the default)** - Set reset on idle timer</li></ul>  |
-    | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**<p>![](images/icon-thin-line-computer.png)  | Set one or more start pages, URLs, to load when Microsoft Edge launches.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages<p>**Data type:** String<p>**Allowed values:**<p>Enter one or more URL, for example,<br>&nbsp;&nbsp;&nbsp;\<https://www.msn.com\>\<https:/www.bing.com\>  |
+    | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**<p>![](images/icon-thin-line-computer.png)  | Set one or more start pages, URLs, to load when Microsoft Edge launches.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages<p>**Data type:** String<p>**Allowed values:**<p>Enter one or more URLs, for example,<br>&nbsp;&nbsp;&nbsp;\<https://www.msn.com\>\<https:/www.bing.com\>  |
     | **[ConfigureHomeButton](new-policies.md#configure-home-button)**<p>![](images/icon-thin-line-computer.png)  | Configure how the Home Button behaves.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton<p>**Data type:** Integer<p> **Allowed values:**<ul><li>**0 (default)** - Not configured. Show home button, and load the default Start page.</li><li>**1** - Enabled. Show home button and load New tab page</li><li>**2** - Enabled. Show home button & set a specific page.</li><li>**3** - Enabled. Hide the home button.</li></ul>   |
     | **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)**<p>![](images/icon-thin-line-computer.png)   | Set a custom URL for the New tab page.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.msn.com      |
     | **[SetHomeButtonURL](new-policies.md#set-home-button-url)**<p>![](images/icon-thin-line-computer.png)    | If you set ConfigureHomeButton to 2, configure the home button URL.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.bing.com    |
     ---
-
+<br>
 3.  Restart the device and sign in using the kiosk app user account.
 
 **_Congratulations!_** You’ve finished setting up a kiosk or digital signage and configuring policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service.
@@ -152,9 +152,9 @@ With this method, you can use Microsoft Intune or other MDM services to configur
 
 ### Use a provisioning package 
 
-With this method, you can use a provisioning package to configure Microsoft Edge in assigned access. After you set up the provisioning package for configuring Microsoft Edge in assigned access, you configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access. 
+With this method, you can use a provisioning package to configure Microsoft Edge kiosk mode in assigned access. After you set up the provisioning package for configuring Microsoft Edge in assigned access, you configure how Microsoft Edge behaves on a kiosk device. 
 
-1.  Open Windows Configuration Designer to create a provisioning package and configure Microsoft Edge in assigned access.
+1.  Open Windows Configuration Designer to create a provisioning package and configure Microsoft Edge in assigned access. 
 
 2.  After creating the provisioning package and configuring assigned access, and before you build the package, switch to the advanced editor.
 
@@ -164,12 +164,12 @@ With this method, you can use a provisioning package to configure Microsoft Edge
     |---|---|
     | **[ConfigureKioskMode](new-policies.md#configure-kiosk-mode)**<p>![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode<p>**Data type:**  Integer<p>**Allowed values:**<ul><li>**Single-app kiosk experience**<ul><li>**0** - Digital signage and interactive display</li><li>**1** - InPrivate Public browsing</li></ul></li><li>**Multi-app kiosk experience**<ul><li>**0** - Normal Microsoft Edge running in assigned access</li><li>**1** - InPrivate public browsing with other apps</li></ul></li></ul> |
     | **[ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)**<p>![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout<p>**Data type:** Integer<p>**Allowed values:**<ul><li>**0** - No idle timer</li><li>**1-1440 (5 minutes is the default)** - Set reset on idle timer</li></ul>  |
-    | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**<p>![](images/icon-thin-line-computer.png)  | Set one or more start pages, URLs, to load when Microsoft Edge launches.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages<p>**Data type:** String<p>**Allowed values:**<p>Enter one or more URL, for example,<br>&nbsp;&nbsp;&nbsp;\<https://www.msn.com\>\<https:/www.bing.com\>  |
+    | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**<p>![](images/icon-thin-line-computer.png)  | Set one or more start pages, URLs, to load when Microsoft Edge launches.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages<p>**Data type:** String<p>**Allowed values:**<p>Enter one or more URLs, for example,<br>&nbsp;&nbsp;&nbsp;\<https://www.msn.com\>\<https:/www.bing.com\>  |
     | **[ConfigureHomeButton](new-policies.md#configure-home-button)**<p>![](images/icon-thin-line-computer.png)  | Configure how the Home Button behaves.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton<p>**Data type:** Integer<p> **Allowed values:**<ul><li>**0 (default)** - Not configured. Show home button, and load the default Start page.</li><li>**1** - Enabled. Show home button and load New tab page</li><li>**2** - Enabled. Show home button & set a specific page.</li><li>**3** - Enabled. Hide the home button.</li></ul>   |
     | **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)**<p>![](images/icon-thin-line-computer.png)   | Set a custom URL for the New tab page.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.msn.com      |
     | **[SetHomeButtonURL](new-policies.md#set-home-button-url)**<p>![](images/icon-thin-line-computer.png)    | If you set ConfigureHomeButton to 2, configure the home button URL.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.bing.com    |
     ---
-
+<br>
 4.  After you’ve configured the Microsoft Edge kiosk mode policies, including any of the related policies, it’s time to build the package.
 
 5.  Click **Finish**. The wizard closes taking you back to the Customizations page.
@@ -182,7 +182,7 @@ With this method, you can use a provisioning package to configure Microsoft Edge
 
 ## Related policies
 
-You can use any of the following policies to enhance the kiosk experience.  To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser).
+Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser).
 
 | **MDM Setting**  | **Digital /<br>Interactive signage** | **Public browsing<br>single-app** | **Public browsing<br>multi-app**   | **Normal<br>mode**   |
 |------------------|:---------:|:---------:|:---------:|:---------:|
@@ -281,7 +281,7 @@ You can use any of the following policies to enhance the kiosk experience.  To l
     - **Expected behavior** – Microsoft Edge kiosk mode opens the URL on startup. 
     - **Actual behavior** – Microsoft Edge kiosk mode may not open with the URL on startup.
 
-- Bug with Microsoft Edge kiosk mode when setting up a single-app in assigned access and “Configure kiosk mode” is not set. 
+- •	When you set up Microsoft Edge kiosk mode on a single-app kiosk device you must set the “ConfigureKioskMode” policy because the default behavior is not honored. 
     - **Expected behavior** – Microsoft Edge kiosk mode launches in full-screen mode. 
     - **Actual behavior** – Normal Microsoft Edge launches.
 
@@ -323,6 +323,6 @@ In the following table, we show you the features available in both Microsoft Edg
 ---
 
 **\*Windows Defender Firewall**<p>
-To prevent unwanted websites, use Windows Defender Firewall to configure a list of allowed websites or blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide).
+To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both.  For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide).
 
 ---

browsers/edge/new-policies.md

@@ -47,7 +47,7 @@ In addition to the new group policies, we added a couple of new MDM policies to
 - [Experience/DoNotSyncBrowserSetting](#donotsyncbrowsersetting)
 - [Browser/AllowWebContentOnNewTabPage](#allowwebcontentonnewtabpage)
 
-We are also deprecating the **Configure Favorites** group policy because no MDM equivalent existed. Use the **[Provision Favorites](available-policies.md#provision-favorites)** in place of Configure Favorites.  
+We are also deprecating the **Configure Favorites** group policy because no MDM equivalent existed. Use the **[Provision Favorites](available-policies.md#provision-favorites)** in place of Configure Favorites.   
  
  <!-- RS5 policies -->
 

browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md

@@ -1 +1 @@
-By default, Microsoft Edge shows the Address bar drop-down list and makes it available.  When enabled (default setting), this policy takes precedence over the [Configure search suggestions in Address bar](../available-policies.md#configure-search-suggestions-in-address-bar) policy. If you want to minimize network connections from Microsoft Edge to Microsoft service, we recommend disabling this policy, which hides the Address bar drop-down list functionality. When disabled, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings. 
+Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the [Configure search suggestions in Address bar](../available-policies.md#configure-search-suggestions-in-address-bar) policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the Show search and site suggestions as I type toggle in Settings.

browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md

@@ -1 +1 @@
-Adobe Flash is integrated with Microsoft Edge and updated via Windows Update. By default, Microsoft Edge runs Adobe Flash content.  With this policy, you can configure Microsoft Edge to prevent running Adobe Flash content.
+Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running.

browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md

@@ -1 +1 @@
-By default, Microsoft Edge does not clear the browsing data on exit, but users can configure the _Clear browsing data_ option in Settings.  Browsing data includes information you entered in forms, passwords, and even the websites visited. Enabling this policy clears the browsing data automatically each time Microsoft Edge closes.
+Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings.  Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes.

browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md

@@ -1 +1 @@
-By default, Microsoft Edge automatically updates the configuration data for the Books Library.  Enabling this policy prevents Microsoft Edge from updating the configuration data. 
+Microsoft Edge automatically updates the configuration data for the Books Library. Disabling this policy prevents Microsoft Edge from updating the configuration data.

browsers/edge/shortdesc/allow-cortana-shortdesc.md

@@ -1 +1 @@
-Since Microsoft Edge is integration with Cortana, and by default, Microsoft Edge allows users to use Cortana voice assistant. Disabling this policy prevents users from using Cortana, but they can still search to find items on their device.
+Since Microsoft Edge is integration with Cortana, Microsoft Edge allows users to use Cortana voice assistant by default. With this policy, you can configure Microsoft Edge to prevent users from using Cortana but can still search to find items on their device.

browsers/edge/shortdesc/allow-developer-tools-shortdesc.md

@@ -1 +1 @@
-By default, Microsoft Edge allows users to use the F12 developer tools to build and debug web pages. Disabling this policy prevents users from using the F12 developer tools.
+Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools.

browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md

@@ -1 +1 @@
-By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data.
+By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data, such as usage data.

browsers/edge/shortdesc/allow-extensions-shortdesc.md

@@ -1 +1 @@
-By default, this policy allows users to add or personalize extensions in Microsoft Edge. Disabling this policy prevents users from adding or personalizing extensions. 
+Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions.

browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md

@@ -1 +1 @@
-Microsoft Edge allows full-screen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing full-screen mode, users and extensions must have the proper permissions. Disabling this policy prevents full-screen mode in Microsoft Edge.
+Microsoft Edge allows full-screen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing full-screen mode, users and extensions must have the proper permissions. Disabling this policy prevents full-screen mode in Microsoft Edge. 

browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md

@@ -1 +1 @@
-By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device.  Disabling this policy prevents InPrivate web browsing.
+By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device.  With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing.

browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md

@@ -1 +1 @@
-By default, during navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays properly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates.  You can view the compatibility list at about:compat.  Disable this policy to ignore the compatibility list.
+During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates.  With this policy, you can configure Microsoft Edge to ignore the compatibility list.  You can view the compatibility list at about:compat.

browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md

@@ -1 +1 @@
-By default, users can add new search engines or change the default search engine, in Settings, in Microsoft Edge. Disabling this policy prevents users from customizing the search engine in Microsoft Edge. 
+By default, users can add new search engines or change the default search engine, in Settings. With this policy, you can prevent users from customizing the search engine in Microsoft Edge. 

browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md

@@ -1 +1 @@
-By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions.  Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell.  You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage).
+By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions.  Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell.  You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage).  

browsers/edge/shortdesc/always-show-books-library-shortdesc.md

@@ -1 +1 @@
-By default, Microsoft Edge shows the Books Library only in countries or regions where supported.  Enabling this policy shows the Books Library, regardless of the device’s country or region. 
+Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region.

browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md

@@ -1 +1 @@
-By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. However, with this policy, you can configure up to five additional search engines and set any one of them as the default. You set the default search engine using the [Set default search engine](../available-policies.md#set-default-search-engine) policy. If you enabled this policy and now want to disable it, disabling deletes all configured search engines. 
+By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the [[Set default search engine]](../available-policies.md#set-default-search-engine) policy. With this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. 

education/windows/TOC.md

@@ -4,6 +4,9 @@
 ## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
 ## [Set up Windows devices for education](set-up-windows-10.md)
 ### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
+#### [Azure AD Join for school PCs](set-up-school-pcs-azure-ad-join.md)
+#### [Shared PC mode for school devices](set-up-school-pcs-shared-pc-mode.md)
+#### [Provisioning package settings](set-up-school-pcs-provisioning-package.md)
 ### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
 ### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
 ### [Provision student PCs with apps](set-up-students-pcs-with-apps.md)

education/windows/set-up-school-pcs-azure-ad-join.md

@@ -0,0 +1,95 @@
+---  
+title: Azure AD Join with Setup School PCs app  
+description: Describes how Azure AD Join is configured in the Set up School PCs app.  
+keywords: shared cart, shared PC, school, set up school pcs  
+ms.prod: w10  
+ms.technology: Windows  
+ms.mktglfcycl: plan  
+ms.sitesec: library  
+ms.pagetype: edu  
+ms.localizationpriority: medium  
+author: lenewsad  
+ms.author: lanewsad  
+ms.date: 07/13/2018  
+---  
+
+# Azure AD Join for school PCs  
+
+>   [!NOTE]  
+>   Set up School PCs app uses Azure AD Join to configure PCs. The app is helpful if you use the cloud based directory, Azure Active Directory (AD). If your organization uses Active Directory or requires no account to connect, install and use [Windows Configuration
+>   Designer](set-up-students-pcs-to-join-domain.md) to 
+>   join your PCs to your school's domain.
+
+Set up School PCs lets you create a provisioning package that automates Azure AD
+Join on your devices. This feature eliminates the need to manually:
+
+-   Connect to your school’s network.
+
+-   Join your organization's domain.
+
+## Automated connection to school domain  
+
+During initial device setup, Azure AD Join automatically connects your PCs to your school's Azure AD domain. You can skip all of the Windows setup experience that is typically a part of the out-of-the-box-experience (OOBE). Devices that are managed by a mobile device manager, such as Intune, are automatically enrolled with the provider upon initial device startup.
+
+Students who sign in to their PCs with their Azure AD credentials get access to on-premises apps and the following cloud apps:
+* Office 365
+* OneDrive 
+* OneNote.
+
+## Enable Azure AD Join  
+
+Learn how to enable Azure AD Join for your school. After you configure this setting, you'll be able to request an automated Azure AD bulk token, which you need to create a provisioning package.   
+
+1. Sign in to the Azure portal with your organization's credentials. 
+2. Go to **Azure
+Active Directory** \> **Devices** \> **Device settings**.  
+3. Enable the setting
+for Azure AD by selecting **All** or **Selected**. If you choose the latter
+option, select the teachers and IT staff to allow them to connect to Azure AD.  
+
+![Select the users you want to let join devices to Azure AD](images/suspc-enable-shared-pc-1807.png)  
+
+You can also create an account that holds the exclusive rights to join devices. When a student PC needs to be set up, provide the account credentials to the appropriate teachers or staff.
+
+## All Device Settings  
+
+The following table describes each setting within **Device Settings**.
+
+| Setting                                                    | Description                                                                                                                                                                                                                                                                                                            |
+|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Users may join devices to Azure AD                         | Choose the scope of people in your organization that are allowed to join devices to Azure AD. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Azure AD. |  
+| Additional local administrators on Azure AD joined devices | Only applicable to Azure AD Premium tenants. Grant additional local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default.                                                                                                  |
+| Users may register their devices with Azure AD             | Allow all or none of your users to register their devices with Azure AD (Workplace Join). If you are enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you.                                     |
+| Require Multi-Factor Authentication to join devices                  | Recommended when adding devices to Azure AD. When set to **Yes**, users that are setting up devices must enter a second method of authentication.                                                                                                             |
+| Maximum number of devices per user                         | Set the maximum number of devices a user is allowed to have in Azure AD. If the maximum is exceeded, the user must remove one or more existing devices before additional ones are added.                                                                                                                               |
+| Users may sync settings and enterprise app data            | Allow all or none of your users to sync settings and app data across multiple devices. Tenants with Azure AD Premium are permitted to select specific users to allow.                                                                                                                                                  |
+
+## Clear Azure AD tokens  
+
+Your Intune tenant can only have 500 active Azure AD tokens, or packages, at a time. You'll receive a notification in the Intune portal when you reach 500 active tokens.
+
+To reduce your inventory, clear out all unnecessary and inactive tokens.
+1. Go to **Azure Active Directory** \> **Users** \> **All users**  
+2. In the **User Name** column, select and delete all accounts with a **package\ _**
+prefix. These accounts are created at a 1:1 ratio for every token and are safe
+to delete.   
+3. Select and delete inactive and expired user accounts. 
+
+### How do I know if my package expired?
+Automated Azure AD tokens expire after 30 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts.  
+
+![Screenshot of the Azure portal, Azure Active Directory, All Users page. Highlights all accounts that start with the prefix package_ and can be deleted.](images/suspc-admin-token-delete-1807.png)  
+
+## Next steps    
+Learn more about setting up devices with the Set up School PCs app.  
+* [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md)
+* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md)
+* [Set up School PCs technical reference](set-up-school-pcs-technical.md)
+* [Set up Windows 10 devices for education](set-up-windows-10.md) 
+
+When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
+
+
+
+
+

education/windows/set-up-school-pcs-provisioning-package.md

@@ -0,0 +1,122 @@
+---  
+title: What's in Set up School PCs provisioning package  
+description: Lists the provisioning package settings that are configured in the Set up School PCs app.  
+keywords: shared cart, shared PC, school, set up school pcs  
+ms.prod: w10  
+ms.technology: Windows  
+ms.mktglfcycl: plan  
+ms.sitesec: library  
+ms.pagetype: edu  
+ms.localizationpriority: medium  
+author: lenewsad  
+ms.author: lanewsad  
+ms.date: 07/13/2018  
+---  
+
+# What's in my provisioning package?
+The Set up School PCs app builds a specialized provisioning package with school-optimized settings. 
+
+A key feature of the provisioning package is Shared PC mode. To view the technical framework of Shared PC mode, including the description of each setting, see the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx) article. 
+
+## Shared PC Mode policies
+This table outlines the policies applied to devices in shared PC mode. If you [selected to optimize a device for use by a single student](set-up-school-pcs-shared-pc-mode.md#optimize-device-for-use-by-a-single-student), the table notes the differences. Specifically, you'll see differences in the following policies:
+* Disk level deletion
+* Inactive threshold
+* Restrict local storage
+
+In the table, *True* means that the setting is enabled, allowed, or applied. Use the **Description** column to help you understand the context for each setting.
+
+For a more detailed look at the policies, see the Windows article [Set up shared or guest PC](https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc#policies-set-by-shared-pc-mode).
+
+|Policy name|Default value|Description|  
+|---------|---------|---------|  
+|Enable Shared PC mode|True| Configures the PCs so they are in shared PC mode.|  
+|Set education policies    | True      | School-optimized settings are applied to the PCs so that they are appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education).       |  
+|Account Model| Only guest, Domain-joined only, or Domain-joined and guest  |Controls how users can sign in on the PC. Configurable from the Set up School PCs app. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. |  
+|Deletion policy  |   Delete at disk space threshold and inactive threshold     | Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for disk level deletion. It will stop deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they have not signed in within the number of days specified by inactive threshold policy.        |  
+|Disk level caching  |   50%     | Sets 50% of total disk space to be used as the disk space threshold for account caching.       |  
+|Disk level deletion    |   For shared device setup, 25%; for single device-student setup, 0%.   |  When your devices are optimized for shared use across multiple PCs, this policy sets 25% of total disk space to be used as the disk space threshold for account caching. When your devices are optimized for use by a single student, this policy sets the value to 0% and does not delete accounts.   |  
+|Enable account manager    |  True      |  Enables automatic account management.       |  
+|Inactive threshold| For shared device setup, 30 days; for single device-student setup, 180 days.| After 30 or 180 days, respectively, if an account has not signed in, it will be deleted.
+|Kiosk Mode AMUID   | Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App  | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser.    |  
+|Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices.     |  
+|Restrict local storage    |   For shared device setup, True; for single device-student setup, False.     |   When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy does not prevent students from saving on the PCs local hard drive.  |  
+|Maintenance start time     | 0 - midnight       | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices.  |  
+|Max page file size in MB| 1024| Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM.|  
+|Set power policies     |  True      |  Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close.       |  
+|Sign in on resume   |  True     | Requires the device user to sign in with a password when the PC wakes from sleep.        |  
+|Sleep timeout    |  3600 seconds      | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3600 seconds (1 hour), is applied.    |  
+
+## MDM and local group policies 
+This section lists only the MDM and local group policies that are configured uniquely for the Set up School PCs app.     
+
+For a more detailed look of each policy listed, see [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation.  
+
+
+|Policy name  |Default value |Description |
+|---------|---------|---------|
+|Authority|User-defined  | Authenticates the admin user. Value is set automatically when signed in to Azure AD.
+|BPRT|User-defined| Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package. |
+|WLAN Setting| XML is generated from the Wi-Fi profile in the Set up School PCs app.| Configures settings for wireless connectivity.| 
+|Hide OOBE for desktop| True | Hides the interactive OOBE flow for Windows 10.|
+|Download Mode|1 - HTTP blended with peering behind the same NAT|Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates|
+|Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel| Specifies how frequently devices receive preview builds and feature updates.|  
+|Allow auto update   | 4 - Auto-installs and restarts without device-user control    |  When an auto update is available, it auto-installs and restarts the device without any input or action from the device user.|
+|Configure automatic updates  | 3 - Set to install at 3am    |  Scheduled time to install updates.|
+|Update power policy for cart restarts   | 1 - Configured| Skips all restart checks to ensure that the reboot will happen at the scheduled install time. |  
+|Select when Preview Builds and Feature Updates are received   | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days.|  
+|Allow all trusted apps |   Disabled      | Prevents untrusted apps from being installed to device        |
+|Allow developer unlock  |   Disabled     | Students cannot unlock the PC and use it in developer mode          |
+|Allow Cortana | Disabled | Cortana is not allowed on the device.
+|Allow manual MDM unenrollment   | Disabled          |   Students cannot remove the mobile device manager from their device.     |
+|Settings page visibility|Enabled |Specific pages in the System Settings app are not visible or accessible to students.|
+|Allow add provisioning package  |  Disabled         | Students cannot add and upload new provisioning packages to their device.        |
+|Allow remove provisioning package   | Disabled       | Students cannot remove packages that you've uploaded to their device, including the Set up School PCs app        |
+|Start Layout|Enabled |Lets you specify the Start layout for users and prevents them from changing the configuration.|
+|Import Edge Assets| Enabled| Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files.|  
+|Allow pinned folder downloads|1 - The shortcut is visible and disables the setting in the Settings app |Makes the Downloads shortcut on the Start menu visible to students.|
+|Allow pinned folder File Explorer|1 - The shortcut is visible and disables the setting in the Settings app |Makes the File Explorer shortcut on the Start menu visible to students.|
+|Personalization  |     Deploy lock screen image  | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default.     | Deploys a jpg, jpeg, or png image to be used as lock screen image on the device.
+|Personalization| Lock screen image URL| Image filename| You can specify a jpg, jpeg, or png image to be used as the device lock screen image. This setting can take an http or https URL to a remote image to be downloaded, or a file URLto an existing local image. 
+|Update|Active hours end    | 5 PM       | There will be no update reboots before this time.        |
+|Update|Active hours start     |  7 AM     |  There will be no update reboots after this time.      |    
+|Updates Windows    |  Nightly       |  Sets Windows to update on a nightly basis.       |  
+
+## Apps uninstalled from Windows 10 devices
+Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that are not relevant to the classroom experience, and uninstalls them from each device.  The following table lists all apps uninstalled from Windows 10 devices.  
+
+
+|App name |Application User Model ID |
+|---------|---------|
+|3D Builder | Microsoft.3DBuilder_8wekyb3d8bbwe | 
+|Bing Weather  | Microsoft.BingWeather_8wekyb3d8bbwe  | 
+|Desktop App Installer|Microsoft.DesktopAppInstaller_8wekyb3d8bbwe|
+|Get Started | Microsoft.Getstarted_8wekyb3d8bbw |  
+|Messaging|Microsoft.Messaging_8wekyb3d8bbwe  
+|Microsoft Office Hub| Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe |  
+|Microsoft Solitaire Collection | Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe |   
+|One Connect|Microsoft.OneConnect_8wekyb3d8bbwe|
+|Paid Wi-Fi & Cellular   | Microsoft.OneConnect_8wekyb3d8bbwe | 
+|Feedback Hub   |  Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe  |    
+|Xbox | Microsoft.XboxApp_8wekyb3d8bbwe |  
+|Mail/Calendar | microsoft.windowscommunicationsapps_8wekyb3d8bbwe|  
+
+## Apps installed on Windows 10 devices  
+Set up School PCs uses the Universal app install policy to install school-relevant apps on  all Windows 10 devices. Apps that are installed include:
+* OneDrive
+* OneNote
+* Sway   
+
+## Next steps  
+Learn more about setting up devices with the Set up School PCs app.  
+* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
+* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md)
+* [Set up School PCs technical reference](set-up-school-pcs-technical.md)
+* [Set up Windows 10 devices for education](set-up-windows-10.md) 
+
+When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
+
+
+
+
+

education/windows/set-up-school-pcs-shared-pc-mode.md

@@ -0,0 +1,80 @@
+---  
+title: Shared PC mode for school devices  
+description: Describes how shared PC mode is set for devices set up with the Set up School PCs app.  
+keywords: shared cart, shared PC, school, set up school pcs  
+ms.prod: w10  
+ms.technology: Windows  
+ms.mktglfcycl: plan  
+ms.sitesec: library  
+ms.pagetype: edu  
+ms.localizationpriority: medium  
+author: lenewsad  
+ms.author: lanewsad  
+ms.date: 07/13/2018  
+---  
+
+# Shared PC mode for school devices
+
+Shared PC mode optimizes Windows 10 for shared use scenarios, such as classrooms and school libraries.  A Windows 10 PC in shared PC mode requires minimal to zero maintenance and management. Update settings are optimized for classroom settings, so that they automatically occur outside of school hours.
+
+Shared PC mode can be applied on devices running:
+* Windows 10 Pro
+* Windows 10 Pro Education
+* Windows 10 Education
+* Windows 10 Enterprise  
+
+To learn more about how to set up a device in shared PC mode, see [Set up a shared or guest PC with Windows 10](https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc).  
+
+## Windows Updates
+Shared PC mode configures power and Windows Update settings so that computers update regularly. Computers that are set up through the Set up School PCs app are configured to:  
+* Wake nightly.  
+* Check for and install updates.  
+* Forcibly reboot, when necessary, to complete updates.  
+
+These configurations reduce the need to update and reboot computers during daytime work hours. Notifications about needed updates are also blocked from disrupting students.
+
+## Default admin accounts in Azure Active Directory  
+By default, the account that joins your computer to Azure AD will be given admin permissions on the computer. Global administrators in the joined Azure AD domain will also have admin permissions when signed in to the joined computer.  
+
+An Azure AD Premium subscription lets you specify the accounts that get admin accounts on a computer. These accounts are configured in Intune in the Azure portal.  
+
+## Account deletion policies
+This section describes the deletion behavior for the accounts configured in shared PC mode. A delete policy makes sure that outdated or stale accounts are regularly removed to make room for new accounts. 
+
+### Azure AD accounts
+
+The default deletion policy is set to automatically cache accounts. Cached accounts are automatically deleted when disk space gets too low, or when there's an extended period of inactivity. Accounts continue to delete until the computer reclaims sufficient disk space. Deletion policies behave the same for Azure AD and Active Directory domain accounts. 
+
+### Guest and Kiosk accounts
+Guest accounts and accounts created through Kiosk are deleted after they sign out of their account.
+
+### Local accounts
+Local accounts that you created before enabling shared PC mode aren't deleted. Local accounts that you create through the following path, after enabling PC mode, are not deleted: **Settings** app > **Accounts** > **Other people** > **Add someone**     
+
+## Create custom Windows images
+Shared PC mode is compatible with custom Windows images.  
+
+To create a compatible image, first create your custom Windows image with all software, updates, and drivers. Then use the System Preparation (Sysprep) tool with the `/oobe` flag to create the SharedPC-compatible version. For example, `sysrep/oobe`.
+
+Teachers can then run the Set up School PCs package on the computer.  
+
+## Optimize device for use by a single student
+Shared PC mode is enabled by default. This mode optimizes device settings for schools where PCs are shared by students.  The  Set up School PCs app also offers the option to configure settings for devices that aren't shared. 
+  
+If you select this setting, the app modifies shared PC mode so that it's appropriate for a single device. To see how the settings differ, refer to the Shared PC mode policy table in the article [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md)  
+1. In the app, go to the **Create package** > **Settings** step. 
+2. Select **Optimize device for a single student, instead of a shared cart or lab**.  
+
+## Next steps  
+Learn more about setting up devices with the Set up School PCs app.  
+* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
+* [Set up School PCs technical reference](set-up-school-pcs-technical.md)
+* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md)
+* [Set up Windows 10 devices for education](set-up-windows-10.md) 
+
+When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
+
+
+
+
+

education/windows/set-up-school-pcs-technical.md

@@ -1,6 +1,6 @@
 ---
-title: Set up School PCs app technical reference
-description: Describes the changes that the Set up School PCs app makes to a PC.
+title: Set up School PCs app technical reference overview
+description: Describes the purpose of the Set up School PCs app for Windows 10 devices.
 keywords: shared cart, shared PC, school, set up school pcs
 ms.prod: w10
 ms.technology: Windows
@@ -8,302 +8,74 @@ ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
 ms.localizationpriority: medium
-author: CelesteDG
-ms.author: celested
-ms.date: 04/04/2018
+author: lenewsad
+ms.author: lanewsad
+ms.date: 07/11/2018
 ---
 
-# Technical reference for the Set up School PCs app 
+What is Set up School PCs?
+=================================================
+
 **Applies to:**
 
--   Windows 10 
+-   Windows 10
+
+The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The
+app, which is available for Windows 10 version 1703 and later, configures and saves
+school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs. 
+
+If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up
+School PCs app will create a setup file. This file joins the PC to your Azure Active Directory tenant. The app also helps set up PCs for use with or without Internet connectivity.  
+
+
+## Join PC to Azure Active Directory
+If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up
+School PCs app creates a setup file that joins your PC to your Azure Active
+Directory tenant. 
+
+The app also helps set up PCs for use with or without Internet connectivity.
+
+## List of Set up School PCs features
+The following table describes the Set up School PCs app features and lists each type of Intune subscription. An X indicates that the feature is available with the specific subscription.
+
+| Feature                                                                                                                                                                                                                                                               | No Internet | Azure AD | Office 365 | Azure AD Premium |
+|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------|------------|------------------|
+| **Fast sign-in**                                                                                                                                                                                                                                                      | X           | X        | X          | X                |
+| Students sign in and start using the computer in under a minute, even on initial sign-in.                                                                                                                                                             |             |          |            |                  |
+| **Custom Start experience**                                                                                                                                                                                                                                           | X           | X        | X          | X                |
+| Necessary classroom apps are pinned to Start and unnecessary apps are removed.                                                                                                                                                                                         |             |          |            |                  |
+| **Guest account, no sign-in required**                                                                                                                                                                                                                                | X           | X        | X          | X                |
+| Set up computers for use by anyone with or without an account.                                                                                                                                                                         |             |          |            |                  |
+| **School policies**                                                                                                                                                                                                                                                   | X           | X        | X          | X                |
+| Settings create a relevant, useful learning environment and optimal computer performance.                                                                                                                                                                |             |          |            |                  |
+| **Azure AD Join**                                                                                                                                                                                                                                                     |             | X        | X          | X                |
+| Computers join with your existing Azure AD or Office 365 subscription for centralized management.                                                                                                                                                                      |             |          |            |                  |
+| **Single sign-on to Office 365**                                                                                                                                                                                                                                      |             |          | X          | X                |
+| Students sign in with their IDs to access all Office 365 web apps or installed Office apps.                                                                                                                                                            |             |          |            |                  |
+| **Take a Test app**                                                                                                                                                                                                                                                     |             |          |            | X                |
+| Administer quizzes and assessments through test providers such as Smarter Balanced.                                                                                                                                      |             |          |            |                  |
+| [Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) **via Azure AD**                                                                                                             |             |          |            | X                |
+| Synchronize student and application data across devices for a personalized experience.                                                                                                                                                          |             |          |            |                  |
+
+>   [!NOTE]  
+>   If your school uses Active Directory, use [Windows Configuration
+>   Designer](set-up-students-pcs-to-join-domain.md) 
+>   to configure your PCs to join the domain. You can only use the Set up School
+>   PCs app to set up PCs that are connected to Azure AD.
 
 
 
-The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode. The latest Set up School PCs app is available for Windows 10, version 1703 (Creators Update). Set up School PCs also configures school-specific settings and policies, described in this topic.
+## Next steps  
+Learn more about setting up devices with the Set up School PCs app.  
+* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
+* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md)
+* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md)
+* [Set up Windows 10 devices for education](set-up-windows-10.md) 
+
+When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
+
+
 
-If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up School PCs app will create a setup file that joins the PC to your Azure Active Directory tenant. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. 
-
-Here's a list of what you get when using the Set up School PCs app in your school. 
-
-| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium |
-| --- | :---: | :---: | :---: | :---: |
-| **Fast sign-in**<br/>Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X |
-| **Custom Start experience**<br/>The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X |
-| **Guest account, no sign-in required**<br/>This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X |
-| **School policies**<br/>Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X |
-| **Azure AD Join**<br/>The computers are  joined to your Azure AD or Office 365 subscription for centralized management. |   | X | X | X |
-| **Single sign-on to Office 365**<br/>By signing on with student IDs, students have fast access to Office 365 web apps or installed Office apps. |   |    | X | X |
-| **Take a Test**<br/>Configure the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. |   |    |  | X |
-| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD**<br/>Student user and application settings data can be synchronized across devices for a personalized experience. |   |    |    | X |
-
-
-> [!NOTE]  
-> If your school uses Active Directory, use [Windows Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the Set up School PCs app to set up PCs that are connected to Azure AD.
-
-## Automated Azure AD join
-One of the most important features in Set up School PCs is the ability to create a provisioning package that performs automated Azure AD join. With this feature, you no longer have to spend minutes going through Windows setup, manually connecting to a network, and manually joining your Azure AD domain. With the automated Azure AD join feature in Set up School PCs, this process is reduced to zero clicks! You can skip all of the Windows setup experience and the OS automatically joins the PC to your Azure AD domain and enrolls it into MDM if you have a MDM provider activated.
-
-To make this as seamless as possible, in your Azure AD tenant:
-- Allow your teacher and other IT staff to join devices to Azure AD so they can sucessfully request an automated Azure AD join token. 
-
-    In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and in **Users may join devices to Azure AD**, click **Selected** and choose the members you want to enable to join devices to Azure AD.
-
-    **Figure 1** - Select the users you want to enable to join devices to Azure AD
-
-    ![Select the users you want to enable to join devices to Azure AD](images/azuread_usersandgroups_devicesettings_usersmayjoin.png)
-
-- Consider creating a special account that uses a username and password that you provide, and which has the rights to join devices if you don't want to add all teachers and IT staff.
-    - When teachers or IT staff need to set up PCs, they can use this account in the Set up School PCs app.
-    - If you use a service to set up PCs for you, you can give them this special account so they can deliver PCs to you that are already Azure AD joined and ready to be given to a student.
-
-- Turn off multifactor authentication.
-
-    In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Require Multi-Factor Auth to join devices** to **No**.
-
-    **Figure 2** - Turn off multi-factor authentication in Azure AD
-
-    ![Turn off multi-factor authentication in Azure AD](images/azuread_usersandgroups_devicesettings_requiremultifactorauth.png)
-
-- Set the maximum number of devices a user can add to unlimited.
-
-    In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Maximum number of devices per user** to **Unlimited**.
-
-    **Figure 3** - Set maximum number of devices per user to unlimited
-
-    ![Set maximum number of devices per user to unlimited](images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png)
-
-- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time.
-
-    In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these. 
-
-    **Figure 4** - Delete the accounts automatically created for the Azure AD tokens
-
-    ![Delete the accounts automatically created for the Azure AD tokens](images/azuread_usersandgroups_allusers_automaticaccounts.png)
-
-- Note that automated Azure AD tokens have expiration dates. Set up School PCs creates them with an expiration date of one month. You will see the specific expiration date for the package in the **Review package summary** page in Set up School PCs.
-
-    **Figure 5** - Sample summary page showing the expiration date
-
-    ![Sample summary page showing the expiration date](images/suspc_choosesettings_summary.png)
-
-
-<!-- When the MSES Get Started goes live, add a link to it from here -->
-
-
-## Information about Windows Update
-
-Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the Set up School PCs app, shared PC mode sets the power states and Windows Update to: 
-* Wake nightly
-* Check and install updates
-* Forcibly reboot if necessary to finish applying updates
-
-The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. Notfications are also blocked.
-
-## Guidance for accounts on shared PCs
-
-* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
-* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** or **Kiosk** will also be deleted automatically at sign out.
-* On a Windows PC joined to Azure Active Directory:
-    * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
-    * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
-* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts created through **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** or **Kiosk** selection on the sign-in screen, if enabled, will automatically be deleted at sign-out.
-* If admin accounts are necessary on the PC
-    * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
-    * Create admin accounts before setting up shared PC mode, or 
-    * Create exempt accounts before signing out.
-* The account management service supports accounts that are exempt from deletion.
-    * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
-    * To add the account SID to the registry key using PowerShell:
-
-        ```
-        $adminName = "LocalAdmin"
-        $adminPass = 'Pa$$word123'
-        iex "net user /add $adminName $adminPass"
-        $user = New-Object System.Security.Principal.NTAccount($adminName) 
-        $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) 
-        $sid = $sid.Value;
-        New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
-        ``` 
-
-## Custom images
-Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the Set up School PCs provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx).
-
-## Provisioning package details
-
-The Set up School PCs app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx). 
-
-### Education customizations set by local MDM policy
-
-- By default, saving content locally to the PC is blocked, but you can choose to enable it. This prevents data loss by forcing students to save to the cloud.
-- A custom Start layout, taskbar layout, and lock screen image are set.
-- Prohibits unlocking the PC to developer mode.
-- Prohibits untrusted Microsoft Store apps from being installed.
-- Prohibits students from removing MDM.
-- Prohibits students from adding new provisioning packages.
-- Prohibits student from removing existing provisioning packages (including the one set by Set up School PCs).
-- Sets Windows Update to update nightly.
-
-
-### Uninstalled apps 
-
-- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe)
-- Weather (Microsoft.BingWeather_8wekyb3d8bbwe)
-- Tips (Microsoft.Getstarted_8wekyb3d8bbwe)
-- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe)
-- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe)
-- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe)
-- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe)
-- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe)
-- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe)
-
-### Local Group Policies
-
-> [!IMPORTANT]  
-> We do not recommend setting additional policies on PCs configured with the Set up School PCs app. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required.
-
-<table border="1"> 
-<thead><tr><th colspan="2"><p>Policy path</p></th></tr>
-<tr><th><p>Policy name</p></th><th><p>Value</p></th> 
-</tr> </thead>
-<tbody>
-<tr><td colspan="2"><p><strong>Admin Templates</strong> > <strong>Control Panel</strong> > <strong>Personalization</strong></p></td> 
-</tr> 
-<tr><td><p>Prevent enabling lock screen slide show</p></td><td><p>Enabled</p></td>
-</tr> 
-<tr><td><p>Prevent changing lock screen and logon image</p></td><td><p>Enabled</p></td>
-</tr> 
-<tr><td colspan="2"><p><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Button Settings</strong></p></td> 
-</tr> 
-<tr><td><p>Select the Power button action (plugged in)</p></td><td><p>Sleep</p></td> 
-</tr> 
-<tr><td><p>Select the Power button action (on battery)</p></td><td><p>Sleep</p></td> 
-</tr> 
-<tr><td><p>Select the Sleep button action (plugged in)</p></td><td><p>Sleep</p></td> 
-</tr> 
-<tr><td><p>Select the lid switch action (plugged in)</p></td><td><p>Sleep</p></td>
-</tr> 
-<tr><td><p>Select the lid switch action (on battery)</p></td><td><p>Sleep</p></td>
-</tr> 
-<tr><td colspan="2"><p><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Sleep Settings</strong></p></td> 
-</tr> 
-<tr><td><p>Require a password when a computer wakes (plugged in)</p></td><td><p>Enabled</p></td>
-</tr> 
-<tr><td><p>Require a password when a computer wakes (on battery)</p></td><td><p>Enabled</p></td>
-</tr>
-<tr><td><p>Specify the system sleep timeout (plugged in)</p></td><td><p> 5 minutes</p></td>
-</tr> 
-<tr><td><p>Specify the system sleep timeout (on battery)</p></td><td><p> 5 minutes</p></td>
-</tr> 
-<tr> <td> <p> Turn off hybrid sleep (plugged in) </p> </td> <td> <p> Enabled</p> </td>
-</tr> 
-<tr> <td> <p> Turn off hybrid sleep (on battery) </p> </td> <td> <p> Enabled</p> </td>
-</tr> 
-<tr> <td> <p> Specify the unattended sleep timeout (plugged in) </p> </td> <td> <p> 5 minutes </p> </td>
-</tr> 
-<tr> <td> <p> Specify the unattended sleep timeout (on battery) </p> </td> <td> <p> 5 minutes</p> </td> 
-</tr> 
-<tr> <td> <p> Allow standby states (S1-S3) when sleeping (plugged in) </p> </td> <td> <p> Enabled</p> </td>
-</tr> 
-<tr> <td> <p> Allow standby states (S1-S3) when sleeping (on battery) </p> </td> <td> <p> Enabled</p> </td> 
-</tr> 
-<tr> <td> <p> Specify the system hibernate timeout (plugged in) </p> </td> <td> <p> Enabled, 0</p> </td> 
-</tr> 
-<tr> <td> <p> Specify the system hibernate timeout (on battery) </p> </td> <td> <p> Enabled, 0</p> </td> 
-</tr> 
-<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>System</strong>><strong>Power Management</strong>><strong>Video and Display Settings</strong></p> </td> </tr> 
-<tr> <td> <p> Turn off the display (plugged in) </p> </td> <td> <p> 5 minutes</p> </td> 
-</tr>
- <tr> <td> <p> Turn off the display (on battery) </p> </td> <td> <p> 5 minutes</p> </td>
-</tr> 
-<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>System</strong>><strong>Power Management</strong>><strong>Energy Saver Settings</strong></p> </td> </tr> 
-<tr> <td> <p> Energy Saver Battery Threshold (on battery) </p> </td> <td> <p> 70</p> </td> 
-</tr>
-<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>System</strong>><strong>Logon</strong></p> </td> 
-</tr> 
-<tr> <td> <p> Show first sign-in animation </p> </td> <td> <p> Disabled</p> </td>
-</tr> 
-<tr> <td> <p> Hide entry points for Fast User Switching </p> </td> <td> <p> Enabled</p> </td> 
-</tr> 
-<tr> <td> <p> Turn on convenience PIN sign-in </p> </td> <td> <p> Disabled</p> </td>
-</tr> 
-<tr> <td> <p> Turn off picture password sign-in </p> </td> <td> <p> Enabled</p> </td>
-</tr> 
-<tr> <td> <p> Turn off app notification on the lock screen </p> </td> <td> <p> Enabled</p> </td>
-</tr> 
-<tr> <td> <p> Allow users to select when a password is required when resuming from connected standby</p> </td> <td> <p> Disabled</p> </td> 
-</tr> 
-<tr> <td> <p> Block user from showing account details on sign-in </p> </td> <td> <p> Enabled</p> </td>
-</tr> 
-<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>System</strong>><strong>User Profiles</strong></p> </td> 
-</tr> 
-<tr> <td> <p> Turn off the advertising ID </p> </td> <td> <p> Enabled</p> </td>
-</tr> 
-<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Biometrics</strong></p> </td> 
-</tr> 
-<tr> <td> <p> Allow the use of biometrics </p> </td> <td> <p> Disabled</p> </td>
-</tr> 
-<tr> <td> <p> Allow users to log on using biometrics </p> </td> <td> <p> Disabled</p> </td> 
-</tr> 
-<tr> <td> <p> Allow domain users to log on using biometrics </p> </td> <td> <p> Disabled</p> </td> 
-</tr> 
-<tr><td colspan="2"><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Cloud Content</strong></td></tr>
-<tr> <td> <p> Do not show Windows Tips </p> </td> <td> <p> Enabled</p> </td> 
-</tr> 
-<tr> <td> <p> Turn off Microsoft consumer experiences </p> </td> <td> <p> Enabled</p> </td> 
-</tr> 
-<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Data Collection and Preview Builds</strong></p> </td> 
-</tr> 
-<tr> <td> <p> Toggle user control over Insider builds </p> </td> <td> <p> Disabled</p> </td>
-</tr> 
-<tr> <td> <p> Disable pre-release features or settings </p> </td> <td> <p> Disabled</p> </td> 
-</tr> 
-<tr> <td> <p> Do not show feedback notifications </p> </td> <td> <p> Enabled</p> </td> 
-</tr> 
-<tr> <td> <p> Allow Telemetry </p> </td> <td> <p> Basic, 0</p> </td> 
-</tr> 
-<tr> <td colspan="2"> <p> <strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>File Explorer</strong></p> </td> 
-</tr> 
-<tr> <td> <p> Show lock in the user tile menu </p> </td> <td> <p> Disabled</p> </td>
-</tr> 
-<tr> <td colspan="2"> <p> <strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>Maintenance Scheduler</strong></p> </td> 
-</tr> 
-<tr> <td> <p> Automatic Maintenance Activation Boundary </p> </td> <td> <p> *MaintenanceStartTime*</p> </td>
-</tr> 
-<tr> <td> <p> Automatic Maintenance Random Delay </p> </td> <td> <p> Enabled, 2 hours</p> </td> 
-</tr> 
-<tr> <td> <p> Automatic Maintenance WakeUp Policy </p> </td> <td> <p> Enabled</p> </td> 
-</tr> 
-<tr> <td colspan="2"> <p> <strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>OneDrive</strong></p> </td> 
-</tr> 
-<tr> <td> <p> Prevent the usage of OneDrive for file storage </p> </td> <td> <p> Enabled</p> </td>
-</tr> 
-<tr> <td colspan="2"> <p> <strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>Windows Hello for Business</strong></p> </td> 
-</tr> 
-<tr> <td> <p> Use phone sign-in </p> </td> <td> <p> Disabled</p> </td>
-</tr> 
-<tr> <td> <p> Use Windows Hello for Business </p> </td> <td> <p> Disabled</p> </td>
-</tr> 
-<tr> <td> <p> Use biometrics </p> </td> <td> <p> Disabled</p> </td>
-</tr> 
-<tr> <td colspan="2"> <p> <strong>Windows Settings</strong> > <strong>Security Settings</strong> > <strong>Local Policies</strong> > <strong>Security Options</strong></p> </td> 
-</tr> 
-<tr><td><p>Accounts: Block Microsoft accounts</p><p>**Note** Microsoft accounts can still be used in apps.</p></td><td><p>Enabled</p></td></tr>
-<tr> <td> <p> Interactive logon: Do not display last user name </p> </td> <td> <p> Enabled</p> </td>
-</tr> 
-<tr> <td> <p> Interactive logon: Sign-in last interactive user automatically after a system-initiated restart</p> </td> <td> <p> Disabled</p> </td>
-</tr> 
-<tr> <td> <p> User Account Control: Behavior of the elevation prompt for standard users </p> </td> <td> <p> Auto deny</p> </td>
-</tr> 
-</tbody>
-</table> </br>
-
-## Use the app
-When you're ready to use the app, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). 
-
-## Related topics
-
-[Set up Windows devices for education](set-up-windows-10.md)
 
 
 

education/windows/use-set-up-school-pcs-app.md

@@ -1,315 +1,238 @@
 ---
 title: Use Set up School PCs app
-description: Learn how the Set up School PCs app works and how to use it.
+description: Learn how to use the Set up School PCs app and apply the provisioning package.
 keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use
 ms.prod: w10
 ms.technology: Windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: edu
-ms.localizationpriority: medium
-author: CelesteDG
-ms.author: celested
-ms.date: 12/11/2017
+ms.localizationpriority: high
+author: lenewsad
+ms.author: lanewsad
+ms.date: 07/11/2018
 ---
 
-# Use the Set up School PCs app 
-**Applies to:**
+# Use the Set up School PCs app  
 
--   Windows 10   
+IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app anrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings Set up School PCs configures through the MDM.   
 
-IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
+Set up School PCs also:  
+* Joins each student PC to your organization's Office 365 and Azure Active Directory tenant.  
+* Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state.  
+* Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours.  
+* Locks down the student PC to prevent activity that isn't beneficial to their education.  
 
-## What does this app do?
+This article describes how to get started and provide information about your school in the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).  
 
-Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically:
-- Joins each student PC to your organization's Office 365 and Azure Active Directory tenant
-- Enrolls each student PC into a mobile device management (MDM) provider, like Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs sets later through MDM.
-- Removes OEM preinstalled software from each student PC
-- Auto-configures and saves a wireless network profile on each student PC
-- Gives a friendly and unique name to each student device for future management
-- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup
-- Enables optional guest account for younger students, lost passwords, or visitors
-- Enables optional secure testing account
-- Enables optional Autopilot Reset feature to return devices to a fully configured or known IT-approved state
-- Locks down the student PC to prevent mischievous activity:
-    * Prevents students from removing the PC from the school's device management system
-    * Prevents students from removing the Set up School PCs settings
-- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours
-- Customizes the Start layout with Office
-- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more
-- Uninstalls apps not specific to education, such as Solitaire
-- Prevents students from adding personal Microsoft accounts to the PC
+## Requirements    
+Before you begin, make sure that you, your computer, and your school's network are configured with the following requirements.
 
-You can watch the video to see how to use the Set up School PCs app, or follow the step-by-step guide. </br>
+* Office 365 and Azure Active Directory
+* [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40)  
+* Permission to buy apps in Microsoft Store for Education
+* Set up School PCs app has permission to access the Microsoft Store for Education
+* A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office
+* Student PCs must either: 
+    * Be within range of the Wi-Fi network that you configured in the app.
+    * Have a wired Ethernet connection when you set them up.  
 
-> [!VIDEO https://www.youtube.com/embed/2ZLup_-PhkA]
+### Configure USB drive for additional space  
+USB drives are, by default, FAT32-formatted, and are unable to save more than 4 GB of data. If you plan to install several apps, or large apps like Microsoft Office, you'll need more space. To create more space on the USB drive, reformat it to NTFS.  
+1. Insert the USB drive into your computer.
+2. Go to the **Start** > **This PC**.
+3. In the **Devices and drives** section, find your USB drive. Right-click to see its options.
+4. Select **Format** from the list to bring up the **Format drive name** window.
+5. Set **File system** to **NTFS**.
+6. Click **Start** to format the drive.
 
-You can watch the descriptive audio version here: [Microsoft Education: Use the Set up School PCs app (DA)](https://www.youtube.com/watch?v=qqe_T2LkGsI)
+### Prepare existing PC account for new setup
+Apply new packages to factory reset or new PCs. If you apply it to a PC that's already set up, you may lose the accounts and data.
 
-## Tips for success
+If a PC has already been set up, and you want to apply a new package, reset the PC to a clean state.
 
-* **Run the same Windows 10 build on the admin device and the student PCs**
+To begin, go to the **Settings** app on the appropriate PC.
+1. Click **Update & Security** > **Recovery**. 
+2. In the **Reset this PC** section, click **Get started**. 
+3. Click **Remove everything**.
 
-  It's critical that the IT administrator's or technical teacher's device is running the same Windows 10 build as the student PCs that you're provisioning. 
+You can also go to **Start** > **Power** icon. Hold down the Shift key and click **Restart** to load the Windows boot user experience. From there, follow these steps: 
+1. Click **Troubleshoot** and then choose **Reset this PC**.
+2. Select **Remove everything**.
+3. If the option appears, select **Only the drive where Windows is installed**.  
+4. Click **Just remove my files**.
+5. Click **Reset**.
 
-* **Ensure that the student PCs meet the minimum OS requirements for the version of Set up School PCs**
+## Recommendations  
+This section offers recommendations to prepare you for the best possible setup experience.  
+### Run the same Windows 10 build on the admin device and the student PCs  
+We recommend you run the IT administrator or technical teacher's device on the same Windows 10 build as the student PCs.
 
- Check the minimum OS requirements for the Set up School PCs app in the **System Requirements > OS** section of the app's description on the Microsoft Store. For example, the latest version of Set up School PCs requires Windows 10 versions with build 15063.0 or higher. Do not use the app to provision student PCs with Windows 10, version 1607 (build 14393) images. 
- 
- We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs that you're provisioning. 
+### Student PCs should meet OS requirements for the app
+Check the minimum OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs.  
 
-* **Run the app at work**
+To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements > OS**.
 
-  For the best results, run the Set up School PCs app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions.
+### Use app on a PC that is connected to your school's network
+We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you'll need to enter the information manually.
 
-  > [!NOTE]  
-  > Don't use the **Set up Schools PCs** app for PCs that must connect to enterprise networks or to open Wi-Fi networks that require the user to accept Terms of Use.
+ > [!NOTE]  
+  > Don't use the **Set up Schools PCs** app for PCs that must connect to:
+ >* Enterprise networks that require the user to accept Terms of Use.
+ >* Open Wi-Fi networks that require the user to accept Terms of Use.
 
-* **Network tips**
-  * You cannot use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. You can only connect to an open network, or one with a basic password. 
-  * If you need to set up a lot of devices over Wi-Fi, make sure that your network configuration can support it.
-    - We recommend configuring your DHCP so at least 200 IP addresses are available for the devices you are setting up. Configure your IP addresses to expire after a short time (about 30 minutes). This ensures that you can set up many devices simultaneously, and IP addresses will free up quickly so you can continue to set up devices without hitting network issues.
+### Run app on an open network or network that requires a basic password  
+Don't use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. If you need to set up numerous devices over Wi-Fi, make sure that your network configuration can support it.
 
-* **Apply to new student PCs**
-  * The provisioning package that the Set up School PCs app creates should be used on new PCs that haven't been set up for accounts yet. If you apply the provisioning package to a student PC that has already been set up, existing accounts and data might be lost.
-  
-  > [!WARNING]  
-  > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings.
+We recommend that you:  
+* Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously.  
+* Configure your IP addresses to expire after a short time--about 30 minutes. IP addresses will free up quickly so you can continue to set up devices without network issues.    
 
-  * The student PCs must be in range of the Wi-Fi network that you configured in Set up School PCs or have a wired Ethernet connection when you set them up. Otherwise, setup will fail.
-  * If the PC has already been set up and you want to return to the first-run experience to apply a new package, you can reset the PC to get to a clean state and get it back to the first-run experience and ready to provision again.
+>> [!WARNING]
+> Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings.  
 
-  To do this:
-  - Go to **Settings > Update & security > Recovery**. In the **Reset this PC** section of the **Recovery** page, click **Get started**.
-  - Or, hit **Shift** + click **Restart** in the **Power** menu to load the Windows boot user experience. From there, follow these steps:
-    1. Click **Troubleshoot** and then choose **Reset this PC**.    
-    2. Select **Remove everything**.
-    3. Select **No - remove provisioning packages**.
-    4. Select **Only the drive where Windows is installed** (this may not always show up).      
-    5. Click **Just remove my files**.
-    6. Click **Reset**.
+### Use an additional USB drive  
+You can set up PCs at the same time. Just save the provisioning package to an additional USB drive. Then plug them in at the same time during deployment.  
 
-* **Use an NTFS-formatted USB key**
+### Limit changes to school-optimized settings
 
-    If you're planning to install several apps, the Set up School PCs package may exceed 4 GB. Check if your USB drive format is FAT32. If it is, you won't be able to save more than 4 GB of data on the drive. To work around this, reformat the USB drive to use the NTFS format. To do this:
+We strongly recommend that you avoid changing preset policies. Changes can slow down setup, performance, and sign-in time.  
+## Create the provisioning package
 
-    1. Insert the USB key into your computer.
-    2. Go to the Start menu and type **This PC** and then select the **This PC (Desktop app)** from the search results. 
-    3. In the **Devices and drivers** section, find the USB drive, select and then right-click to bring up options.
-    4. Select **Format** from the list to bring up the **Format <DRIVE NAME>** window.
-    5. Set **File system** to **NTFS** and then click **Start** to format the drive.
+The **Set up School PCs** app guides you through the configuration choices for the student PCs.  
 
-* **Use more than one USB key**
+### Sign-in
+1. Open the Set up School PCs app on your PC and click **Get started**.  
+    
+      ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png)  
+2. Select how you want to sign in.  
+    a. (Recommended) To enable student PCs to automatically be connect to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**. Then go to step 3.  
+    b. To complete setup without signing in, click **Skip**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](use-set-up-school-pcs-app.md#Wireless-network).  
+3. In the new window, select the account you want to use throughout setup. 
 
-    If you are setting up multiple PCs, you can set them up at the same time. Just save the provisioning package to another USB drive. Create two keys and you can run it on two PCs at once, and so on.
+    ![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/suspc-sign-in-select-1807.png) 
 
-* **Keep it clean**
+    To add an account not listed:  
+a. Click **Work or school account** > **Continue**.  
+        b. Type in the account username and click **Next**.  
+        c. You may be asked to verify the user account and password.   
 
-    We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. Get more information at [Set up School PCs app technical reference](set-up-school-pcs-technical.md).
-
-* **Get more info**
-
-    Learn more about what Set up School PCs does, including provisioning details, in [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).
-
-## Prerequisites
-
-- [Download the latest Set up School PCs app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4ls40).
-
-  The app supports these languages: Chinese (Simplified), Chinese (Traditional), Danish, Dutch, English (United Kingdom), English (United States), French, German, Italian, Japanese, Korean, Norwegian, Polish, Portuguese (Brazil), Russian, Spanish (Spain), Spanish (Mexico), Swedish, and Turkish.
-
-- Install the app on your work PC and make sure you're connected to your school's network. 
-- You must have Office 365 and Azure Active Directory.
-- You must have the Microsoft Store for Education configured.
-- You must be a global admin in the Microsoft Store for Education.
-- It's best if you sign up for and [configure Intune for Education](../get-started/use-intune-for-education.md) before using the Set up School PCs app.
-- Have a USB drive, 1 GB or larger, to save the provisioning package. We recommend an 8 GB or larger USB drive if you're installing Office. 
-- Check the default file system format for your USB drive. You may need to set this to NTFS to save a provisioning package that's 4 GB or larger. 
-
-## Set up School PCs step-by-step
-
-### Create the provisioning package
-
-The **Set up School PCs** app guides you through the configuration choices for the student PCs.
-
-1. Launch the Set up School PCs app.
-
-  **Figure 1** - Launch the Set up School PCs app
-
-  ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png)
-
-2. Click **Get started**.
-3. <a name="suspc_signin"></a>To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
-
-  To get the best option for setup and enable student PCs to automatically be connected to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**.
-
-  To complete setup without signing in, click **Skip**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later.
-
-  If you opt to sign in, follow these steps:
-
-    1. Choose the account from the list. If you don't see the account, select **Work or school account**, click **Continue**, and enter the account details.
-    2. Click **Next** once you've specified the account.
-    3. If you added an account, you may be asked to provide the user account and password. You will get a notification to allow the app to access your account. This will give Set up School PCs permission to access Store for Business, read memberships, sign you in and read your profile, and more.
-    4. Click **Accept**.
-
-      The account will show up as the account that Set up School PCs will use to connect the school PCs to the cloud.
-
-      **Figure 2** - Verify that the account you selected shows up
+1. Click **Accept** to allow Set up School PCs to access your account throughout setup.
+2. When your account name appears on the page, as shown in the image below, click **Next.**
 
       ![Verify that the account you selected shows up](images/suspc_createpackage_signin.png)
 
-    5. Click **Next**.
-  
-4. <a name="suspc_wireless"></a>To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page:
-  1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network. 
-  2. Click **Next** if you added or selected a wireless network, or **Skip** to skip configuring a wireless network.
+### Wireless network
+Add and save a wireless network profile to provision on each student PC. Only skip Wi-Fi setup if you have an Ethernet connection.  
 
-    If you click **Skip**, you will see the following dialog. 
-    * If you select **Got it**, you will go to the next page without Wi-Fi set up. 
-    * If you select **Add Wi-Fi**, you will go back to the Wi-Fi page to add a wireless network.
+Select your school's Wi-Fi network from the list of available wireless networks, or click **Add a wireless network** to manually configure it. Then click **Next.** 
 
-    **Figure 3** - Only skip Wi-Fi if you have a wired Ethernet connection
+ ![Wireless network page with two Wi-Fi networks listed and one selected.](images/suspc-select-wifi-network-1807.png)  
 
-    ![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png)
+### Device names
+Create a short name to add as a prefix to each of the PCs you set up. The name will help you recognize and manage this group of devices in your mobile device manager. The name must be five (5) characters or less.  
 
-5. <a name="suspc_devicename"></a>To assign a name to the student PCs, in the **Name these devices** page:
-  1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client. 
-  
-    > [!NOTE]  
-    > The name must be five (5) characters or less. Set up School PCs automatically appends `_%SERIAL%` to the prefix that you specify. `_%SERIAL%` ensures that all device names are unique.
+To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name.  For example, if you add *Math4* as the prefix, the device names will appear as *Math4* followed by a random string of letters and numbers.   
 
-    For example, if you add *Math4* as the prefix, the device names will be *Math4* followed by a random string of letters and numbers. 
-
-  2. Click **Next**.
-
-6. <a name="suspc_settings"></a>To specify other settings for the student PC, in the **Configure student PC settings** page:
-  - Select **Remove apps pre-installed by the device manufacturer** to install only the base Windows image.
-
-      > [!NOTE]  
-      > If you select this option, the provisioning process will take longer (about 30 minutes).
-
-  - Select **Allow local storage (not recommended for shared devices)** to let students save files to the **Desktop** and **Documents** folder on the student PC. We don't recommend this option if the device will be part of a shared cart or lab.
-  - Select **Optimize device for a single student, instead of a shared cart or lab** to optimize the device for use by a single student (1:1). 
-    - Check this option if the device will not be part of a shared cart or lab.
-    - Set up School PCs will change some account management logic so that it sets the expiration time for an account to 180 days (without requiring sign-in). 
-    - This setting also increases the maximum storage to 100% of the available disk space. This prevents the student's account from being erased if the student stores a lot of files or data, or if the student doesn't use the PC over a prolonged period.
-
-  - Select **Let guests sign-in to these PCs** to allow guests to use student PCs without a school account. For example, if the device will be in a library and you want other users (like visiting students or teachers) to be able to use the device, you can select this option.
-
-    If you select this option, this adds a **Guest** account button in the PC's sign-in screen to allow anyone to use the PC.
- 
-  - Select **Enable Autopilot Reset** to reset student PCs from the lock screen any time and apply original settings and device management enrollment (Azure AD and MDM) so they're ready to use. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app.
-  - To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background.
-
-    **Figure 4** - Configure student PC settings
-
-    ![Configure student PC settings](images/suspc_createpackage_configurestudentpcsettings_121117.png)
-
- When you're doing configuring the student PC settings, click **Next**.
-
-7. <a name="suspc_takeatest"></a>If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page. Windows will also lock down the student PC so that students can't access anything else while taking the test.
-  1. Specify if you want to create a Take a Test button on the sign-in screens of students' PCs.
-  2. Check the options whether to allow keyboard text suggestions to appear and to allow teachers to monitor online tests. 
-  3. Enter the assessment URL.
-
-    You can leave the URL blank so that students can enter one later. This enables teachers to use the Take a Test account for daily quizzes or tests by having students manually enter a URL.
-
-    **Figure 5** - Configure the Take a Test app
-
-    ![Configure the Take a Test app](images/suspc_createpackage_takeatestpage_073117.png)
-
-  3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
-
-8. <a name="suspc_recommendedapps"></a>In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following:
-  * **Office 365 for Windows 10 S (Education Preview)** 
-    * Office 365 for Windows 10 S will only work on student PCs running Windows 10 S. If you try to install this app on other editions of Windows, setup will fail.
-    * When adding the Office 365 for Windows 10 S to a package, the device you use to run Set up School PCs does not have to be running Windows 10 S.
-  * **Minecraft: Education Edition** - Free trial 
-  * Popular **STEM and Makerspace apps**
-
-  1. Select the apps that you would like to provision and then click **Next** when you're done. Apps that you provision on student PCs will be pinned to the Start menu.
-  2. Click **Skip** if you don't want to provision any apps.
-
-  **Figure 6** - Select from a set of recommended apps
-
-  ![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps_073117.png)
-    
-  The set of recommended Microsoft Store for Education apps may vary from what we show here.
-
-9. <a name="suspc_packagesummary"></a>In the **Review package summary** page, make sure that all the settings you configured appear correctly.
-  1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes.
-
-      **Figure 7** - Review your settings and change them as needed
-
-      ![Review your settings and change them as needed](images/suspc_createpackage_summary_073117.png)
-
-  2. Click **Accept**.
-
-10. <a name="suspc_savepackage"></a>In the **Insert a USB drive now** page:
-  1. Insert a USB drive to save your settings and create a provisioning package on the USB drive.
-  2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list.
-  3. Click **Save** to save the provisioning package to the USB drive.
-
-      **Figure 8** - Select the USB drive and save the provisioning package
-
-      ![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb.png)
-
-11. <a name="suspc_pkgready"></a>When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
-
-  **Figure 9** - Provisioning package is ready
-
-  ![Provisioning package is ready](images/suspc_savepackage_ppkgisready.png)
-
-12. <a name="suspc_getpcsready"></a>Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs. 
-
-  **Figure 10** - Line up the student PCs and get them ready for setup
-
-  ![Line up the student PCs and get them ready for setup](images/suspc_runpackage_getpcsready.png)
-
-13. Click **Next**.
-14. <a name="suspc_installpkg"></a>In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs. 
-
-  Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package.
-
-  **Figure 11** - Install the provisioning package on the student PCs
-
-  ![Install the provisioning package on the student PCs](images/suspc_runpackage_installpackage.png)
+  !["Name these devices" screen with the device field filled in with example device name, "Grd8."](images/suspc-device-names-1807.png)  
 
 
-### Apply the provisioning package to the student PCs
 
-The provisioning package on your USB drive is named `Set up School PCs.ppkg`. A provisioning package is a method for applying settings to Windows 10 without needing to reimage the device. When Windows 10 refers to *package*, it means your provisioning package, and when it refers to *provisioning*, it means applying the provisioning package to the student PC.
+### Settings
+Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs.  
 
-> [!NOTE]  
-> The student PC must contain a new or reset image and the PC must not already have been through first-run setup (OOBE).
 
-**To set up the student PC using the Set up School PCs provisioning package**
+![Configure student PC settings page showing 5 settings with checkboxes and 1 setting with browser button](images/suspc-configure-student-settings-1807.png)
 
-1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 Creators Update (version 1703), this first-run setup screen says **Let's start with region. Is this right?**. 
+Setting selections vary based on the OS version you select. The following table lists all possible settings, descriptions, and important notes to consider.  After you've made your selections, click **Next**.   
 
-    If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
 
-    **Figure 12** - The first screen during first-run setup in Windows 10 Creators Update (version 1703)
+|Setting  |What happens if I select it? |Note|
+|---------|---------|---------|
+|Remove apps pre-installed by the device manufacturer |  Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.|
+|Allow local storage (not recommended for shared devices)    | Lets students save files to the Desktop and Documents folder on the Student PC.         |Not recommended if the device will be part of a shared cart or lab.|
+|Optimize device for a single student, instead of a shared cart or lab    |Optimizes the device for use by a single student, rather than many students.       |Recommended option only if the device is not shared with other students in the school. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
+|Let guests sign in to these PCs     |Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.|
+|Enable Windows Autopilot Reset  | Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM).  |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
+|Lock screen background|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.|  
 
-    ![The first screen to set up a new PC in Windows 10 Creators Update](images/win10_1703_oobe_firstscreen.png)
 
-2. Insert the USB drive. Windows will recognize the drive and automatically install the provisioning package. 
+### Take a Test app  
+Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student PC so that students can't access anything else on the device.  
+1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' PCs.    
 
-    **Figure 13** - Windows automatically detects the provisioning package and installs it
+    ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspc_createpackage_takeatestpage_073117.png)   
+2. Select from the advanced settings. The following table lists available settings and their descriptions.  
 
-    ![Windows automatically detects the provisioning package and installs it](images/suspc_studentpcsetup_installingsetupfile.png)
+|Setting |Description |
+|---------|---------|
+|Allow keyboard auto-suggestions    | Allows app to suggest words as the student types on the PC's keyboard.       |
+|Allow teachers to monitor online tests     |  Enables screen capture in the Take a Test app.  |  
 
-3. You can remove the USB drive when you see the message that you can remove the removable media. You can then use the USB drive to start provisioning another student PC.
+3. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to click or enter the link to view the assessment.  
 
-    **Figure 14** - Remove the USB drive when you see the message that the media can be removed
+4. Click **Next**. 
 
-    ![You can remove the USB drive when you see the message that the media can be removed](images/suspc_setup_removemediamessage.png)
+### Add recommended apps  
+Choose from a list of recommended Microsoft Store apps to install on student PCs. Then click **Next**. After they're assigned, apps are pinned to the student's Start menu.  
+
+  ![Add recommended apps screen with 7 icons of recommended apps and selection boxes. Skip button is enabled and Next button is disabled. ](images/suspc-add-recommended-apps-1807.png)  
+
+The following table lists the recommended apps you'll see.  
+
+|App |Note |
+|---------|---------|
+|Office 365 for Windows 10 in S mode (Education Preview) | Setup is only successful on student PCs that run Windows 10 in S mode. The PC you running the Set up School PCs app is not required to have Windows 10 in S mode.        |
+|Minecraft: Education Edition | Free trial|
+|Other apps fit for the classroom |Select from WeDo 2.0 LEGO®, Arduino IDE, Ohbot, Sesavis Visual, and EV3 Programming|   
+
+
+### Summary
+1. Review all of the settings for accuracy and completeness. Check carefully. To make changes to a saved package, you have to start over.  
+2. To make changes now, click any page along the left side of the window.  
+3. When finished, click **Accept**.  
+
+      ![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Take a Test, and Recommended apps. Accept button is active and the page contains three links on the right-hand side to help and support.](images/suspc_createpackage_summary_073117.png)
+
+### Insert USB
+1. Insert a USB drive. The **Save** button will light up when your computer detects the USB.  
+2. Choose your USB drive from the list and click **Save**.
+
+      ![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspc_savepackage_insertusb.png)
+
+3. When the package is ready, you'll see the filename and package expiration date. You can also click **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and click **Next**. 
+
+      ![Your provisioning package is ready screen with package details, active Next button, and grayed-out Add a USB button.](images/suspc_savepackage_ppkgisready.png)  
+
+## Run package - Get PCs ready  
+Complete each step on the **Get PCs ready** page to prepare student PCs for set-up. Then click **Next**.  
    
-4. If you set up the package to do Azure AD Join, that's it! You're done, and the PC is now ready for students to use.
+  ![Your provisioning package is ready! screen with 3 steps to get student PCs ready for setup. Save button is active.](images/suspc_runpackage_getpcsready.png)  
 
-  If you did not set up the package to do Azure AD Join, go through the rest of the Windows device setup experience.
+## Run package - Install package on PC
 
-## Related topics
+The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows 10 without reimaging the device. 
+
+When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student PC. This section describes how to apply the settings to a PC in your school.  
+
+> [!IMPORTANT]
+> The PC must have a new or reset Windows 10 image and must not already have been through first-run setup (also referred to as OOBE). For instructions about how to reset a computer's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup).  
+
+1.  Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 version 1803, the first-run setup screen reads, **Let's start with region. Is this right?** 
+
+    If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.  
+
+       ![Example screenshot of the first screen the Windows 10 PC setup for OOBE. United States is selected as the region and the Yes button is active.](images/win10_1703_oobe_firstscreen.png)  
+  
+2. Insert the USB drive. Windows automatically recognizes and installs the package.  
+   
+     ![Screen showing that the installation is automatically beginning, with a loading bar showing the status on the installation.](images/suspc_studentpcsetup_installingsetupfile.png)  
+3. When you receive the message that it's okay to remove the USB drive, remove it from the PC. If there are more PCs to set up, insert the USB drive into the next PC.  
+
+     ![Screen with message telling user to remove the USB drive.](images/suspc_setup_removemediamessage.png)  
+
+4. If you did not set up the package to do Azure AD Join, go through the rest of the Windows device setup experience.  If you did configure the package for Azure AD Join, the computer is ready for use and no further configurations are required.  
+
+      If successful, you'll see a setup complete message. The PCs start up on the lock screen with your school's custom background. Upon first use, students and teachers will be able to connect to your school's network and resources.
 
-[Set up Windows devices for education](set-up-windows-10.md)
 

windows/client-management/mdm/TOC.md

@@ -189,6 +189,7 @@
 #### [Authentication](policy-csp-authentication.md)
 #### [Autoplay](policy-csp-autoplay.md)
 #### [Bitlocker](policy-csp-bitlocker.md)
+#### [BITS](policy-csp-bits.md)
 #### [Bluetooth](policy-csp-bluetooth.md)
 #### [Browser](policy-csp-browser.md)
 #### [Camera](policy-csp-camera.md)

windows/client-management/mdm/wifi-csp.md

@@ -12,6 +12,8 @@ ms.date: 06/28/2018
 
 # WiFi CSP
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device. The configuration service provider accepts SyncML input and converts it to a network profile that is installed on the device. This profile enables the device to connect to the Wi-Fi network when it is in range.
 

windows/client-management/mdm/wifi-ddf-file.md

@@ -12,6 +12,8 @@ ms.date: 06/28/2018
 
 # WiFi DDF file
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML.
 

windows/client-management/mdm/windowslicensing-csp.md

@@ -7,11 +7,14 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 10/09/2017
+ms.date: 07/16/2018
 ---
 
 # WindowsLicensing CSP
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 desktop and mobile devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 desktop devices.
 
 The following diagram shows the WindowsLicensing configuration service provider in tree format.
@@ -157,8 +160,27 @@ The data type is a chr.
 
 The supported operation is Get.
 
+<a href="" id="smode"></a>**SMode**  
+Interior node for managing S mode.
 
+<a href="" id="smode-switchingpolicy"></a>**SMode/SwitchingPolicy**  
+Added in Windows 10, next major version. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode.
 
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+Supported values:  
+-  0 - No Restriction: The user is allowed to switch the device out of S mode.
+-  1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node.
+
+<a href="" id="smode-switchfromsmode"></a>**SMode/SwitchFromSMode**  
+Added in Windows 10, next major version. Switches a device out of S mode if possible. Does not reboot.
+
+Supported operation is Execute.
+
+<a href="" id="smode-status"></a>**SMode/Status**   
+Added in Windows 10, next major version. Returns the status of the latest SwitchFromSMode set request.
+
+Value type is integer. Supported operation is Get.
 
 ## SyncML examples
 

windows/client-management/mdm/windowslicensing-ddf-file.md

@@ -7,16 +7,19 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 12/05/2017
+ms.date: 07/16/2017
 ---
 
 # WindowsLicensing DDF file
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 This topic shows the OMA DM device description framework (DDF) for the **WindowsLicensing** configuration service provider. DDF files are used only with OMA DM provisioning XML.
 
 Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
 
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, next major version.
 
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
@@ -42,7 +45,7 @@ The XML below is the current version for this CSP.
             <Permanent />
           </Scope>
           <DFType>
-            <MIME>com.microsoft/1.2/MDM/WindowsLicensing</MIME>
+            <MIME>com.microsoft/1.3/MDM/WindowsLicensing</MIME>
           </DFType>
         </DFProperties>
         <Node>
@@ -294,21 +297,101 @@ The XML below is the current version for this CSP.
             </Node>
           </Node>
         </Node>
+        <Node>
+          <NodeName>SMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>SwitchingPolicy</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Delete />
+                <Replace />
+                <Add />
+              </AccessType>
+              <Description>Policy that determines whether a consumer can switch the device out of S mode</Description>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <CaseSense>
+                <CIS />
+              </CaseSense>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>SwitchFromSMode</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Exec />
+              </AccessType>
+              <Description>Switches a device out of S mode if possible. Does not reboot.</Description>
+              <DFFormat>
+                <null />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <CaseSense>
+                <CIS />
+              </CaseSense>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>Status</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <Description>Returns the status of the latest SwitchFromSMode or SwitchingPolicy set request.</Description>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <CaseSense>
+                <CIS />
+              </CaseSense>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
       </Node>
 </MgmtTree>
-```
-
-## Related topics
-
-
-[WindowsLicensing configuration service provider](windowslicensing-csp.md)
-
- 
-
- 
-
-
-
-
-
-
+```

windows/deployment/upgrade/setupdiag.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-ms.date: 07/17/2018
+ms.date: 07/18/2018
 ms.localizationpriority: high
 ---
 
@@ -32,19 +32,19 @@ SetupDiag works by examining Windows Setup log files. It attempts to parse these
 
 To quickly use SetupDiag on your current computer:
 1. Verify that your system meets the [requirements](#requirements) described below. If needed, install the [.NET framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137).
-2. Click [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142).
+2. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142).
 3. If your web browser asks what to do with the file, choose **Save**. By default, the file will be saved to your **Downloads** folder. You can also save it to a different location if desired by using **Save As**.
-4. When SetupDiag has finished downloading, open the folder where you downloaded the file. As mentioned above, by default this is your **Downloads** folder which is displayed in File Explorer under **Quick access** in the left pane.
-5. Double-click the SetupDiag file to run it. Click **Yes** if you are asked to approve running the program.
-    >Double-clicking the file to run it will automatically close the command window when SetupDiag has completed its analysis. If you wish to keep this window open instead, and review the messages that you see, run the program by typing SetupDiag at the command prompt instead of double-clicking it. You will need to change directories to the location of SetupDiag to run it this way.
-1. A command window will open while SetupDiag diagnoses your computer. Wait for this to finish.
-2. When SetupDiag finishes, two files will be created in the same folder where you double-clicked SetupDiag. One is a configuration file, the other is a log file.
-3. Use Notepad to open the log file: **SetupDiagResults.log**.
-4. Review the information that is displayed. If a rule was matched this can tell you why the computer failed to upgrade, and potentially how to fix the problem. See the [Text log sample](#text-log-sample) below.
+4. When SetupDiag has finished downloading, open the folder where you downloaded the file. As mentioned above, by default this is your **Downloads** folder which is displayed in File Explorer under **Quick access** in the left navigation pane.
+5. Double-click the **SetupDiag** file to run it. Click **Yes** if you are asked to approve running the program.
+    - Double-clicking the file to run it will automatically close the command window when SetupDiag has completed its analysis. If you wish to keep this window open instead, and review the messages that you see, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. You will need to change directories to the location of SetupDiag to run it this way.
+6. A command window will open while SetupDiag diagnoses your computer. Wait for this to finish.
+7. When SetupDiag finishes, two files will be created in the same folder where you double-clicked SetupDiag. One is a configuration file, the other is a log file.
+8. Use Notepad to open the log file: **SetupDiagResults.log**.
+9. Review the information that is displayed. If a rule was matched this can tell you why the computer failed to upgrade, and potentially how to fix the problem. See the [Text log sample](#text-log-sample) below.
 
-For instructions on how to run the tool in offline more and with more advanced options, see the [Parameters](#parameters) section below.
+For instructions on how to run the tool in offline more and with more advanced options, see the [Parameters](#parameters) and [Examples](#examples) sections below.
 
-See the [Release notes](#release-notes) section at the bottom of this topic for information about recent updates to this tool. 
+The [Release notes](#release-notes) section at the bottom of this topic has information about recent updates to this tool. 
 
 ## Requirements
 
@@ -63,7 +63,7 @@ See the [Release notes](#release-notes) section at the bottom of this topic for
 | /Output:\<path to results file\> | <ul><li>This optional parameter enables you to specify the output file for results. This is where you will find what SetupDiag was able to determine.  Only text format output is supported.  UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path.  If the path has a space in it, you must enclose the entire path in double quotes (see the example section below). <li>Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same  directory where SetupDiag.exe is run.</ul> |
 | /Mode:\<Offline \| Online\>  |  <ul><li>This optional parameter allows you to specify the mode in which SetupDiag will operate: Offline or Online.<li>Offline: tells SetupDiag to run against a set of log files already captured from a failed system.  In this mode you can run anywhere you have access to the log files.  This mode does not require SetupDiag to be run on the computer that failed to update. When you specify offline mode, you must also specify the /LogsPath: parameter.<li>Online: tells SetupDiag that it is being run on the computer that failed to update. SetupDiag will attempt find log files and resources in standard Windows locations, such as the **%SystemDrive%\$Windows.~bt** directory for setup log files.<li>Log file search paths are configurable in the SetupDiag.exe.config file, under the SearchPath key.  Search paths are comma separated.  Note: A large number of search paths will extend the time required for SetupDiag to return results.<li>Default: If not specified, SetupDiag will run in Online mode.</ul> |
 | /LogsPath:\<Path to logs\> | <ul><li>This optional parameter is required only when **/Mode:Offline** is specified.  This tells SetupDiag.exe where to find the log files. These log files can be in a flat folder format, or containing multiple subdirectories.  SetupDiag will recursively search all child directories. This parameter should be omitted when the **/Mode:Online** is specified.</ul> |
-| /ZipLogs:\<True \| False\> | <ul><li>This optional parameter tells SetupDiag.exe to create a zip file continuing its results and all the log files it parsed.  The zip file is created in the same directory where SetupDiag.exe is run.<li>Default: If not specified, a value of 'true' is used.</ul> |
+| /ZipLogs:\<True \| False\> | <ul><li>This optional parameter tells SetupDiag.exe to create a zip file containing the results and all the log files it parsed.  The zip file is created in the same directory where SetupDiag.exe is run.<li>Default: If not specified, a value of 'true' is used.</ul> |
 | /Verbose | <ul><li>This optional parameter will output much more data to the log file produced by SetupDiag.exe.  By default SetupDiag will only produce a log file entry for serious errors.  Using **/Verbose** will cause SetupDiag to always produce a log file with debugging details, which can be useful when reporting a problem with SetupDiag.</ul> |
 | /Format:\<xml \| json\> | <ul><li>This optional parameter can be used to output log files in xml or JSON format.  If this parameter is not specified, text format is used by default.</ul> |
 

windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: brianlic-msft
-ms.date: 10/27/2017
+ms.date: 07/18/2018
 ---
 
 # BitLocker Management Recommendations for Enterprises
@@ -55,7 +55,7 @@ Windows continues to be the focus for new features and improvements for built-in
 
 Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
 
-For older client computers with BitLocker that are domain joined on-premises, Microsoft BitLocker Administration and Management<sup>[1]</sup> (MBAM) remains the best way to manage BitLocker. MBAM continues to be maintained and receives security patches. Using MBAM provides the following functionality:
+For older client computers with BitLocker that are domain joined on-premises, use Microsoft BitLocker Administration and Management<sup>[1]</sup>. Using MBAM provides the following functionality:
 
 - Encrypts device with BitLocker using MBAM
 - Stores BitLocker Recovery keys in MBAM Server