diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index fa7c285458..03362643f2 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -1,7 +1,10 @@
# [Windows 10 for education](index.md)
## [Change history for Windows 10 for Education](change-history-edu.md)
-## [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md)
-## [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md)
+## [Setup options for Windows 10](set-up-windows-10.md)
+### [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md)
+### [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md)
+### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
+### [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
## [Get Minecraft Education Edition](get-minecraft-for-education.md)
### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
diff --git a/education/windows/images/ICDstart-option.PNG b/education/windows/images/ICDstart-option.PNG
new file mode 100644
index 0000000000..1ba49bb261
Binary files /dev/null and b/education/windows/images/ICDstart-option.PNG differ
diff --git a/education/windows/images/choose-package-icd.png b/education/windows/images/choose-package-icd.png
new file mode 100644
index 0000000000..2bf7a18648
Binary files /dev/null and b/education/windows/images/choose-package-icd.png differ
diff --git a/education/windows/images/connect-ad.png b/education/windows/images/connect-ad.png
new file mode 100644
index 0000000000..4da67e8cdd
Binary files /dev/null and b/education/windows/images/connect-ad.png differ
diff --git a/education/windows/images/icd-adv-shared-pc.PNG b/education/windows/images/icd-adv-shared-pc.PNG
new file mode 100644
index 0000000000..a8da5fa78a
Binary files /dev/null and b/education/windows/images/icd-adv-shared-pc.PNG differ
diff --git a/education/windows/images/icd-school-adv-edit.png b/education/windows/images/icd-school-adv-edit.png
new file mode 100644
index 0000000000..16843cc010
Binary files /dev/null and b/education/windows/images/icd-school-adv-edit.png differ
diff --git a/education/windows/images/icd-school.PNG b/education/windows/images/icd-school.PNG
new file mode 100644
index 0000000000..e6a944a193
Binary files /dev/null and b/education/windows/images/icd-school.PNG differ
diff --git a/education/windows/images/icd-simple.PNG b/education/windows/images/icd-simple.PNG
new file mode 100644
index 0000000000..7ae8a1728b
Binary files /dev/null and b/education/windows/images/icd-simple.PNG differ
diff --git a/education/windows/images/icdbrowse.png b/education/windows/images/icdbrowse.png
new file mode 100644
index 0000000000..53c91074c7
Binary files /dev/null and b/education/windows/images/icdbrowse.png differ
diff --git a/education/windows/images/setup-options.png b/education/windows/images/setup-options.png
new file mode 100644
index 0000000000..d0330a2289
Binary files /dev/null and b/education/windows/images/setup-options.png differ
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
new file mode 100644
index 0000000000..86a2cf7148
--- /dev/null
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -0,0 +1,109 @@
+---
+title: Set up student PCs to join domain
+description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
+keywords: ["shared cart", "shared PC", "school"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Set up student PCs to join domain
+**Applies to:**
+
+- Windows 10
+
+If your school uses Active Directory, use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package that will configure a PC for student use that is joined to the Active Directory domain. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+## Create the provisioning package
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Provision school devices**.
+
+ 
+
+3. Name your project and click **Finish**. The screens for school provisioning will walk you through the following steps.
+
+ 
+
+4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
+
+5. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
+ - Home to Education
+ - Pro to Education
+ - Pro to Enterprise
+ - Enterprise to Education
+
+6. Click **Set up network**.
+
+7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
+
+8. Click **Enroll into Active Directory**.
+
+9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account.
+
+ > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
+ - Use a least-privileged domain account to join the device to the domain.
+ - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
+ - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
+
+10. Click **Set up school settings**.
+
+11. Toggle **Yes** or **No** to configure the PC for shared use.
+
+12. (Optional) Toggle **Yes** or **No** to configure the PC for secure testing. If you select **Yes**, you must also enter the test account to be used and the URL for the test. If you don't configure the test account and URL in this provisioning package, you can do so after the PC is configured; for more information, see [Take tests in Windows 10](take-tests-in-windows-10.md).
+
+10. Click **Finish**.
+
+11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
+
+12. Click **Create**.
+
+13. You will see the file path for your provisioning package (by default, %windir%\Users\*your alias*\Windows Imaging and Configuration Designer (WICD)\*Project name*). Copy the provisioning package to a USB drive.
+
+> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+## Apply package
+
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+ 
+
+2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+ 
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+ 
+
+5. Select **Yes, add it**.
+
+ 
+
+6. Read and accept the Microsoft Software License Terms.
+
+ 
+
+7. Select **Use Express settings**.
+
+ 
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+ 
+
+9. On the **Choose how you'll connect** screen, select **Join a domain** and tap **Next**.
+
+ 
+
+10. Sign in with your domain account and password. When you see the progress ring, you can remove the USB drive.
+
+
+
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
new file mode 100644
index 0000000000..f1af6fa30a
--- /dev/null
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -0,0 +1,202 @@
+---
+title: Provision student PCs with apps
+description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
+keywords: ["shared cart", "shared PC", "school"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Provision student PCs with apps
+**Applies to:**
+
+- Windows 10
+
+
+This topic explains how to create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
+
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
+
+If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Add apps to a provisioning package](#add-apps-to-a-provisioning-package). If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md), and then follow the steps in [Create a provisioning package to add apps after initial setup](#create-a-provisioning-package-to-add-apps-after-initial-setup).
+
+## Add apps to a provisioning package
+
+1. Follow the steps to [create the provisioning package](set-up-students-pcs-to-join-domain.md#create-the-provisioning-package).
+
+2. On the **Finish** page, select **Switch to advanced editor**.
+
+ 
+
+**Next steps**
+- [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
+- [Add a universal app to your package](#add-a-universal-app-to-your-package)
+- [Build your package](#build-your-package)
+- [Apply the provisioning package to a PC](#apply-package)
+
+
+## Create a provisioning package to add apps after initial setup
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Advanced provisioning**.
+
+ 
+
+3. Name your project and click **Next**.
+
+3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
+
+**Next steps**
+- [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
+- [Add a universal app to your package](#add-a-universal-app-to-your-package)
+- [Build your package](#build-your-package)
+- [Apply the provisioning package to a PC](#apply-package)
+
+
+## Add a desktop app to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**.
+
+2. Add all the files required for the app install, including the data files and the installer.
+
+3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the msiexec /quiet option.
+
+> **Note**: If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703295%28v=vs.85%29.aspx).
+
+**Next steps**
+- (optional) [Add a universal app to your package](#add-a-universal-app-to-your-package)
+- [Build your package](#build-your-package)
+- [Apply the provisioning package to a PC](#apply-package)
+
+## Add a universal app to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**.
+
+2. For **UserContextApp**, specify the **PackageFamilyName** for the app. (how to find package family name)
+
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. (how will they know?)
+
+5. For **UserContextAppLicense**, enter the **LicenseProductID**. (where to get)
+
+**Next steps**
+- (optional) [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
+- [Build your package](#build-your-package)
+- [Apply the provisioning package to a PC](#apply-package)
+
+## Build your package
+
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
+
+2. Read the warning that project files may contain sensitive information, and click **OK**.
+> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+3. On the **Export** menu, click **Provisioning package**.
+
+1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+10. Set a value for **Package Version**.
+
+ **Tip**
+ You can make changes to existing packages and change the version number to update previously applied packages.
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+ - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
+ **Important**
+ We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
+
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+ - Shared network folder
+
+ - SharePoint site
+
+ - Removable media (USB/SD)
+
+
+**Next step**
+- [Apply the provisioning package to a PC](#apply-package)
+
+## Apply package
+
+**During initial setup, from a USB drive**
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+ 
+
+2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+ 
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+ 
+
+5. Select **Yes, add it**.
+
+ 
+
+6. Read and accept the Microsoft Software License Terms.
+
+ 
+
+7. Select **Use Express settings**.
+
+ 
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+ 
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+ 
+
+10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+ 
+
+
+**After setup, from a USB drive, network folder, or SharePoint site**
+
+On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install.
+
+
+
+
+
+## Learn more
+- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
+
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
new file mode 100644
index 0000000000..e6fa36b229
--- /dev/null
+++ b/education/windows/set-up-windows-10.md
@@ -0,0 +1,42 @@
+---
+title: Setup options for Windows 10
+description: Decide which option for setting up Windows 10 is right for you.
+keywords: shared cart, shared PC, school
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+author: jdeckerMS
+---
+
+# Setup options for Windows 10
+**Applies to:**
+
+- Windows 10
+
+MSA is only intended for consumer services. Schools may want to consider using MDM or group policy to block students from adding MSA as a secondary account
+
+
+Reminder to schools that they should consider ratings when picking apps from the store. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, etc.
+
+
+
+
+
+
+## In this section
+
+- [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md)
+- [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md)
+- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
+- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
+
+
+## Related topics
+
+[Take tests in Windows 10](take-tests-in-windows-10.md)
+
+[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
+
+
+
diff --git a/windows/deploy/images/ICDstart-option.PNG b/windows/deploy/images/ICDstart-option.PNG
new file mode 100644
index 0000000000..1ba49bb261
Binary files /dev/null and b/windows/deploy/images/ICDstart-option.PNG differ
diff --git a/windows/deploy/images/choose-package.png b/windows/deploy/images/choose-package.png
new file mode 100644
index 0000000000..2bf7a18648
Binary files /dev/null and b/windows/deploy/images/choose-package.png differ
diff --git a/windows/deploy/images/connect-aad.png b/windows/deploy/images/connect-aad.png
new file mode 100644
index 0000000000..8583866165
Binary files /dev/null and b/windows/deploy/images/connect-aad.png differ
diff --git a/windows/deploy/images/express-settings.png b/windows/deploy/images/express-settings.png
new file mode 100644
index 0000000000..99e9c4825a
Binary files /dev/null and b/windows/deploy/images/express-settings.png differ
diff --git a/windows/deploy/images/icd-simple-edit.png b/windows/deploy/images/icd-simple-edit.png
new file mode 100644
index 0000000000..3608dc18f3
Binary files /dev/null and b/windows/deploy/images/icd-simple-edit.png differ
diff --git a/windows/deploy/images/icd-simple.PNG b/windows/deploy/images/icd-simple.PNG
new file mode 100644
index 0000000000..7ae8a1728b
Binary files /dev/null and b/windows/deploy/images/icd-simple.PNG differ
diff --git a/windows/deploy/images/license-terms.png b/windows/deploy/images/license-terms.png
new file mode 100644
index 0000000000..8dd34b0a18
Binary files /dev/null and b/windows/deploy/images/license-terms.png differ
diff --git a/windows/deploy/images/oobe.jpg b/windows/deploy/images/oobe.jpg
new file mode 100644
index 0000000000..53a5dab6bf
Binary files /dev/null and b/windows/deploy/images/oobe.jpg differ
diff --git a/windows/deploy/images/prov.jpg b/windows/deploy/images/prov.jpg
new file mode 100644
index 0000000000..1593ccb36b
Binary files /dev/null and b/windows/deploy/images/prov.jpg differ
diff --git a/windows/deploy/images/setupmsg.jpg b/windows/deploy/images/setupmsg.jpg
new file mode 100644
index 0000000000..12935483c5
Binary files /dev/null and b/windows/deploy/images/setupmsg.jpg differ
diff --git a/windows/deploy/images/sign-in-prov.png b/windows/deploy/images/sign-in-prov.png
new file mode 100644
index 0000000000..55c9276203
Binary files /dev/null and b/windows/deploy/images/sign-in-prov.png differ
diff --git a/windows/deploy/images/trust-package.png b/windows/deploy/images/trust-package.png
new file mode 100644
index 0000000000..8a293ea4da
Binary files /dev/null and b/windows/deploy/images/trust-package.png differ
diff --git a/windows/deploy/images/who-owns-pc.png b/windows/deploy/images/who-owns-pc.png
new file mode 100644
index 0000000000..d3ce1def8d
Binary files /dev/null and b/windows/deploy/images/who-owns-pc.png differ
diff --git a/windows/deploy/provision-pcs-for-initial-deployment.md b/windows/deploy/provision-pcs-for-initial-deployment.md
index 26d033ac10..28dd14ea9e 100644
--- a/windows/deploy/provision-pcs-for-initial-deployment.md
+++ b/windows/deploy/provision-pcs-for-initial-deployment.md
@@ -1,6 +1,6 @@
---
title: Provision PCs with common settings (Windows 10)
-description: Create a provisioning package to apply settings to a PC running Windows 10.
+description: Create a provisioning package to apply common settings to a PC running Windows 10.
ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
keywords: ["runtime provisioning", "provisioning package"]
ms.prod: W10
@@ -16,16 +16,127 @@ author: jdeckerMS
- Windows 10
-Create a provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.
+This topic explains how to create and apply a simple provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home.
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
+## Advantages
+- You can configure new devices without reimaging.
+
+- Works on both mobile and desktop devices.
+
+- No network connectivity required.
+
+- Simple to apply.
+
+[Learn more about the benefits and uses of provisioning packages.](../whats-new/new-provisioning-packages.md)
+
+## What does simple provisioning do?
+
+In a simple provisioning package, you can configure:
+
+- Device name
+- Upgraded product edition
+- Wi-Fi network
+- Active Directory enrollment
+- Local administrator account
+
+Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. To learn about provisioning packages that include more than the settings in a simple provisioning package, see [Provision PCs with apps and certificates](provision-pcs-with-apps-and-certificates.md).
+
+> **Tip!** Use simple provisioning to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
+
+
+
+## Create the provisioning package
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Simple provisioning**.
+
+ 
+
+3. Name your project and click **Finish**. The screens for simple provisioning will walk you through the following steps.
+
+ 
+
+4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
+
+5. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
+ - Pro to Education
+ - Pro to Enterprise
+ - Enterprise to Education
+
+6. Click **Set up network**.
+
+7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
+
+8. Click **Enroll into Active Directory**.
+
+9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account.
+
+ > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
+ - Use a least-privileged domain account to join the device to the domain.
+ - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
+ - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
+
+10. Click **Finish**.
+
+11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
+
+12. Click **Create**.
+
+> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+## Apply package
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+ 
+
+2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+ 
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+ 
+
+5. Select **Yes, add it**.
+
+ 
+
+6. Read and accept the Microsoft Software License Terms.
+
+ 
+
+7. Select **Use Express settings**.
+
+ 
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+ 
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+ 
+
+10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+ 
## Learn more
+- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
-- [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
-
-- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
diff --git a/windows/deploy/provision-pcs-with-apps-and-certificates.md b/windows/deploy/provision-pcs-with-apps-and-certificates.md
index ddf0cfbe2a..69a4bb263f 100644
--- a/windows/deploy/provision-pcs-with-apps-and-certificates.md
+++ b/windows/deploy/provision-pcs-with-apps-and-certificates.md
@@ -16,19 +16,183 @@ author: jdeckerMS
- Windows 10
-Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.
+This topic explains how to create and apply a provisioning package that contains apps and certificates to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
+
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
+
+## Advantages
+- You can configure new devices without reimaging.
+
+- Works on both mobile and desktop devices.
+
+- No network connectivity required.
+
+- Simple to apply.
+
+[Learn more about the benefits and uses of provisioning packages.](../whats-new/new-provisioning-packages.md)
+
+## Create the provisioning package
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
+
+2. Click **Advanced provisioning**.
+
+ 
+
+3. Name your project and click **Next**.
+
+3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
+### Add a desktop app to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**.
+
+2. Add all the files required for the app install, including the data files and the installer.
+
+3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the msiexec /quiet option.
+
+> **Note**: If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/en-us/library/windows/hardware/mt703295%28v=vs.85%29.aspx).
+
+
+### Add a universal app to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**.
+
+2. For **UserContextApp**, specify the **PackageFamilyName** for the app. (how to find package family name)
+
+3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. (how will they know?)
+
+5. For **UserContextAppLicense**, enter the **LicenseProductID**. (where to get)
+
+
+### Add a certificate to your package
+
+1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**.
+
+2. Enter a **CertificateName** and then click **Add**.
+
+2. Enter the **CertificatePassword**.
+
+3. For **CertificatePath**, browse and select the certificate to be used.
+
+4. Set **ExportCertificate** to **False**.
+
+5. For **KeyLocation**, select **Software only**.
+
+
+### Add other settings to your package
+
+For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
+
+### Build your package
+
+1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
+
+2. Read the warning that project files may contain sensitive information, and click **OK**.
+> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+3. On the **Export** menu, click **Provisioning package**.
+
+1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+10. Set a value for **Package Version**.
+
+ **Tip**
+ You can make changes to existing packages and change the version number to update previously applied packages.
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+ - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
+ **Important**
+ We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
+
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+ - Shared network folder
+
+ - SharePoint site
+
+ - Removable media (USB/SD)
+
+ - Email
+
+ - USB tether (mobile only)
+
+ - NFC (mobile only)
+
+
+
+## Apply package
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+ 
+
+2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+ 
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+ 
+
+5. Select **Yes, add it**.
+
+ 
+
+6. Read and accept the Microsoft Software License Terms.
+
+ 
+
+7. Select **Use Express settings**.
+
+ 
+
+8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
+
+ 
+
+9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
+
+ 
+
+10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
+
+ 
## Learn more
+- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
+- Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
-- [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
-
-- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
-
-
-
+- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md
deleted file mode 100644
index bf4a5f64da..0000000000
--- a/windows/deploy/windows-10-poc.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Deploy Windows 10 in a test lab (Windows 10)
-description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-author: greg-lindsay
----
-
-# Deploy Windows 10 in a test lab
-**Applies to**
-
-- Windows 10
-
-## Setting up a proof of concept deployment lab
-
-This following topics provide instructions for setting up a proof of concept (PoC) lab where you can deploy Windows 10 in a private environment using a minimum amount of resources. The lab utilizes the Microsoft Hyper-V platform to run virtual machines that provide all the services and tools required to deploy Windows 10 on a network.
-
-
-
- | Topic |
- Description |
-
-
- | [Configure the PoC environment](#configure-the-poc-environment) |
- Instructions are provided for installing and configuring Hyper-V and configuring VHDs in preparation for different deployment scenarios. |
-
-
- | Topic 2 |
- Description 2 |
-
-
- | Topic 3 |
- Description 3 |
-
-
- | Topic 4 |
- Description 4 |
-
-
-
-## Configure the PoC environment
-
-### Requirements
-
-To complete the procedures in this topic
-
-### Install Hyper-V
-
-Use one of the following procedures to install Hyper-V on the Hyper-V host computer:
-Install Hyper-V on a computer running Windows 8/8.1 or Windows 10
-
-Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](http://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
-
-If your processor supports SLAT Hyper-V Manager is already included in Windows under Programs and Features.
-
-[hyper-v feature](images/hyper-v-feature.png)
-
-Note If you installed a 32-bit version of Windows, you won’t be able to create and manage local virtual machines. To fully manage virtual machines by using the host computer, you must install the 64-bit version of Windows 8.1 or Windows 8.
-
-The Hyper-V feature is not installed by default in Windows 8. To get it, you can use the following Windows PowerShell command:
-
-Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
-
-You can also install it via the Control Panel in Windows under Turn Windows features on or off, as shown here:
-
-Important If you know that your processor supports SLAT, but you still get an error message that states Hyper-V cannot be installed, you might need to enable virtualization in the BIOS. The location of this setting will depend on the manufacturer and BIOS version. The following image shows an example of the required settings (under Security) in a Hewlett-Packard BIOS for an Intel processor:
-
-[security BIOS settings](images/sec-bios.png)
-
-### Configure Hyper-V
-
-### Download VHDs
-
-### Configure VHDs
-
-## Related Topics
-
-[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
-
-
-
-
-
-
-
-
diff --git a/windows/keep-secure/service-accounts.md b/windows/keep-secure/service-accounts.md
index 3996bebaf3..76eb1d041b 100644
--- a/windows/keep-secure/service-accounts.md
+++ b/windows/keep-secure/service-accounts.md
@@ -102,55 +102,8 @@ Virtual accounts apply to the Windows operating systems that are designated in t
The following table provides links to additional resources that are related to standalone managed service accounts, group managed service accounts, and virtual accounts.
-
-
-
-
-
-
-
-
-
-
-Product evaluation |
-[What's New for Managed Service Accounts](https://technet.microsoft.com/library/hh831451(v=ws.11).aspx)
-[Managed Service Accounts Documentation for Windows 7 and Windows Server 2008 R2](http://technet.microsoft.com/library/ff641731.aspx)
-[Service Accounts Step-by-Step Guide](http://technet.microsoft.com/library/dd548356.aspx)
-[Getting Started with Group Managed Service Accounts](https://technet.microsoft.com/library/jj128431(v=ws.11).aspx) |
-
-
-Deployment |
-[Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) |
-
-
-Operations |
-[Managed Service Accounts in Active Directory](http://technet.microsoft.com/library/dd378925.aspx) |
-
-
-Tools and settings |
-[Managed Service Accounts in Active Directory Domain Services](http://technet.microsoft.com/library/dd378925.aspx) |
-
-
-Community resources |
-[Managed Service Accounts: Understanding, Implementing, Best Practices, and Troubleshooting](http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx) |
-
-
-Related technologies |
-[Security Principals Technical Overview](security-principals.md)
-[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx) |
-
-
-
-
-
-
-
-
-
-
-
-
-
+| Content type | References |
+|---------------|-------------|
+| **Product evaluation** | [What's New for Managed Service Accounts](https://technet.microsoft.com/library/hh831451(v=ws.11).aspx)
[Getting Started with Group Managed Service Accounts](https://technet.microsoft.com/library/jj128431(v=ws.11).aspx) |
+| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) |
+| **Related technologies** | [Security Principals Technical Overview](security-principals.md)
[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx) |
\ No newline at end of file
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index f3e62b7e48..57753690a7 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -6,8 +6,7 @@
### [New policies for Windows 10](new-policies-for-windows-10.md)
### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
-### [Bulk provisioning for Windows 10 devices](simple-bulk-provisioning.md)
-### [Diagnostics for devices managed by MDM](diagnostics-for-mdm-devices.md)
+### [Diagnostics for Windows 10 devices](diagnostics-for-mdm-devices.md)
### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md)
## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
diff --git a/windows/manage/diagnostics-for-mdm-devices.md b/windows/manage/diagnostics-for-mdm-devices.md
index e3e725ba1f..32998541e9 100644
--- a/windows/manage/diagnostics-for-mdm-devices.md
+++ b/windows/manage/diagnostics-for-mdm-devices.md
@@ -1,5 +1,5 @@
---
-title: Device Policy State Log (Windows 10)
+title: Diagnostics for Windows 10 devices (Windows 10)
description: Device Policy State log in Windows 10, Version 1607, collects info about policies.
keywords: ["mdm", "udiag", "device policy", "mdmdiagnostics"]
ms.prod: W10
@@ -8,80 +8,74 @@ ms.sitesec: library
author: jdeckerMS
---
-# Device Policy State Log
+# Diagnostics for Windows 10 devices
**Applies to**
- Windows 10
- Windows 10 Mobile
-[Diagnostics capability for devices managed by any MDM provider.](https://microsoft.sharepoint.com/teams/osg_core_ens/mgmt/OSMan Wiki/MDM Diagnostics - Generating and Processing Log files.aspx)
+(which SKUs?)
-[Redstone spec](https://microsoft.sharepoint.com/teams/specstore/_layouts/15/WopiFrame.aspx?sourcedoc=%7b7E8742A2-03A1-451C-BA07-F2573B044CBF%7d&file=DM%20-%20MDM%20Diagnostics-RS.docx&action=default&DefaultItemOpen=1)
+(this isn't really MDM-managed only, is it? It can be done locally/email?)
-The Device Policy State Log, a new log in Windows 10, Version 1607, collects information on the state of policies applied to the device to help you determine which sources are applying policies or configurations to the device. This log is a tool that enables the helpdesk to be more effectively in remotely diagnosing and resolving issues with the device.
+Two new diagnostic tools for Windows 10, version 1607, help IT administrators diagnose and resolve issues with remote devices enrolled in mobile device management (MDM): the [Device Policy State Log](#device-policy-state-log) and [UDiag](#udiag). Windows 10 for desktop editions and Windows 10 Mobile make it simple for users to export log files that you can then analyze with these tools.
-Users can easily generate this log, both on PCs and mobile devices. (screenshot of UI)
+## Export management log files
+
+Go to **Settings > Accounts > Work access > Export your management log files**.
+
+
+
+- On desktop devices, the file is saved to C:/Users/Public/Public Documents/MDMDiagnostics/MDMDiagReport.xml
+- On phones, the file is saved to *phone*/Documents/MDMDiagnostics/MDMDiagReport.xml
+
+The MDMDiagReport.xml can be used with [Device Policy State Log](#device-policy-state-log) and [UDiag](#udiag) to help you resolve issues.
+
+## Device Policy State Log
+
+The Device Policy State Log collects information on the state of policies applied to the device to help you determine which sources are applying policies or configurations to the device. Help desk personnel can use this log to diagnose and resolve issues with a remote device.
+
+After you obtain the management log file from the user's device, run the mdmReportGenerator.ps1 script on log to create report. (download mdmReportGenerator.ps1 and mdmDiagnoseHelpers.psm1) This PowerShell script asks you to enter the name of the management log file and a name for the report that it will create, as shown in the following example:
+
+
+
+The script produces the report in html format. There are two sections to the report, Configuration and Policy Information.
+
+ The configuration section lists the GUID of the sources that are applying configurations to the device.
+
+ 
+
+The policy information section displays information about the specific policies that are being enforced and on the device. For each policy, you will see the Area grouping, the Policy name, its default and current value, and the configuration source. You can compare the configuration source GUID in the policy information section to the GUIDs in the configuration section to identify the source of the policy.
+
+
-(run script on log to create report)
+## UDiag
-There are two sections to the report, Configuration and Policy Information. The configuration section enumerates the GUID of the sources that are applying configurations to the device.
+The UDiag tool applies rules to Event Tracing for Windows (ETW) files to help determine the root cause of an issue.
-The policy information section displays information about the specific policies that are being enforced and on the device. For each policy you will see the Area grouping, the Policy name, its default and current value, in addition to the configuration source.
+(download UDiag)
-
-
-
-Event Trace Log (ETL) file
-
-To generate on desktop or phone:
-1. **Settings** > **Accounts** > **Work access** > **Export your management log files**
-2. File is saved:
- - on desktop: Clicking on **Export** will generate the diagnostic log file, and save it in C:\Users\Public\Documents\MDMDiagnostics
- - on phone: Copy the file from the phone
- - Either connect phone to PC and copy the file from Phone\Documents\MDMDiagnostics
- OR
- - Mail the log file from your phone by selecting the file from This Device\Documents\MDMDiagnostics
-
-UDiag tool: Uses rule-based analysis to determine root cause based on Event Tracing for Windows (ETW) files; reduces the amount of time needed to determine what the root case of an issue is based on ETW analysis
+To analyze MDMDiagReport.xml using UDiag
1. Open UDiag, and select Device Management.
2. Select your source for the log files ("cab of logs" or "directory of logs")
+
Investigating log content, identifying patterns, and adding a root cause analysis to the database (Advanced users/providers)
-
1. While at the 'Root Causes List' panel, click the 'Diagnose' button at the bottom.
-
-
2. You will then be brought to the Diagnosis panel where you can investigate and tag root causes from the content
-
-[1] Evidence Groups
-
-
-◦When a set of logs are loaded into UDiag, the contents are processed (e.g. ETW) and organized into evidence groups.
-
-
-•[2] Decision Tree View
-
-
-◦This view shows the loaded decision tree for the current topic/topic area.
-
-◦When a decision node is selected, a user can modify the regular expression and add/edit/delete an RCA for that node. Any RCA matches found in the current log set will have an 'RCA' label that is either Red or Yellow.
-
-•[3] Evidence View
-
-
-◦Selecting an evidence group from [1], loads its content into this evidence view. Use this view to investigate issues and determine root causes. Drag and drop lines from the Evidence View [3] into the Decision Tree View [2], to build your RCA pattern.
+ - Evidence Groups: When a set of logs are loaded into UDiag, the contents are processed (e.g. ETW) and organized into evidence groups.
+ - Decision Tree View: This view shows the loaded decision tree for the current topic/topic area. When a decision node is selected, a user can modify the regular expression and add/edit/delete an RCA for that node. Any RCA matches found in the current log set will have an 'RCA' label that is either Red or Yellow.
+ - Evidence View: Selecting an evidence group loads its content into this evidence view. Use this view to investigate issues and determine root causes. Drag and drop lines from the Evidence View into the Decision Tree View, to build your root cause analysis pattern. ([Learn more about techniques for root cause analysis.](https://technet.microsoft.com/en-us/library/cc543298.aspx))
-
-
- Device Policy State Log implementation: what does admin have to do on MDM side to enable "export your management log file"?[DK] Nothing. Generating the log is entirely a client side behavior. There is a new capability in the Diagnostic Log CSP that will enable a MDM ISV to trigger generation and capture of the log over the MDM channel.
+
Can admin pull logs without user action? [DK] Yes via the diagnostic log CSP
- Is MDMDiagnostics.xml the file created by "export your management log file"? [DK] Yes
+
"Run PowerShell script to process the file" – is that the user doing it? How can this workflow work in an enterprise where employees aren't computer-savvy? [DK] This is intended to be done by the help desk guy.
@@ -91,7 +85,18 @@ Investigating log content, identifying patterns, and adding a root cause analysi
UDiag – where does admin get this? [DK] Publishing on DLC later this summer
- Can admins create custom rule sets? [DK] Right now, no. but open to feedback on this.
+ Can admins create custom rule sets? [DK] Right now, no. but open to feedback on this.
+
+
Link to [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx)
+[Diagnostics capability for devices managed by any MDM provider.](https://microsoft.sharepoint.com/teams/osg_core_ens/mgmt/OSMan Wiki/MDM Diagnostics - Generating and Processing Log files.aspx)
+
+[Redstone spec](https://microsoft.sharepoint.com/teams/specstore/_layouts/15/WopiFrame.aspx?sourcedoc=%7b7E8742A2-03A1-451C-BA07-F2573B044CBF%7d&file=DM%20-%20MDM%20Diagnostics-RS.docx&action=default&DefaultItemOpen=1)
+
+## Related topics
+
+[DiagnosticLog CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt219118.aspx)
+
+[Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120.aspx)
\ No newline at end of file
diff --git a/windows/manage/images/config-policy.png b/windows/manage/images/config-policy.png
new file mode 100644
index 0000000000..b9cba70af6
Binary files /dev/null and b/windows/manage/images/config-policy.png differ
diff --git a/windows/manage/images/config-source.png b/windows/manage/images/config-source.png
new file mode 100644
index 0000000000..58938bacf7
Binary files /dev/null and b/windows/manage/images/config-source.png differ
diff --git a/windows/manage/images/export-mgt-desktop.png b/windows/manage/images/export-mgt-desktop.png
new file mode 100644
index 0000000000..13349c3b4e
Binary files /dev/null and b/windows/manage/images/export-mgt-desktop.png differ
diff --git a/windows/manage/images/export-mgt-mobile.png b/windows/manage/images/export-mgt-mobile.png
new file mode 100644
index 0000000000..6a74c23e59
Binary files /dev/null and b/windows/manage/images/export-mgt-mobile.png differ
diff --git a/windows/manage/images/mdm-diag-report-powershell.PNG b/windows/manage/images/mdm-diag-report-powershell.PNG
new file mode 100644
index 0000000000..86f5b49211
Binary files /dev/null and b/windows/manage/images/mdm-diag-report-powershell.PNG differ
diff --git a/windows/manage/set-up-shared-or-guest-pc.md b/windows/manage/set-up-shared-or-guest-pc.md
index e9ffb6385b..9c2d3b5a62 100644
--- a/windows/manage/set-up-shared-or-guest-pc.md
+++ b/windows/manage/set-up-shared-or-guest-pc.md
@@ -140,20 +140,19 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
> **Important**: It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
-
-Admin Templates > Control Panel > Personalization
+
+Policy path |
|---|
Policy name | Value |
+
|---|
+
+Admin Templates > Control Panel > Personalization |
-
Prevent enabling lock screen slide show | Enabled |
Prevent changing lock screen and logon image | Enabled |
-
-
-Admin Templates > System > Power Management > Button Settings
-Policy name | Value |
|---|
-
+Admin Templates > System > Power Management > Button Settings |
+
Select the Power button action (plugged in) | Sleep |
Select the Power button action (on battery) | Sleep |
@@ -163,12 +162,9 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
Select the lid switch action (plugged in) | Sleep |
Select the lid switch action (on battery) | Sleep |
-
-
-Admin Templates > System > Power Management > Sleep Settings
-Policy name | Value |
|---|
-
+Admin Templates > System > Power Management > Sleep Settings |
+
Require a password when a computer wakes (plugged in) | Enabled |
Require a password when a computer wakes (on battery) | Enabled |
@@ -177,139 +173,106 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
Specify the system sleep timeout (on battery) | 1 hour |
- | Turn off hybrid sleep (plugged in) | Enabled |
+
| Turn off hybrid sleep (plugged in) | Enabled |
- | Turn off hybrid sleep (on battery) | Enabled |
+
| Turn off hybrid sleep (on battery) | Enabled |
- | Specify the unattended sleep timeout (plugged in) | 1 hour |
+
| Specify the unattended sleep timeout (plugged in) | 1 hour |
| Specify the unattended sleep timeout (on battery) | 1 hour |
- | Allow standby states (S1-S3) when sleeping (plugged in) | Enabled |
+
| Allow standby states (S1-S3) when sleeping (plugged in) | Enabled |
| Allow standby states (S1-S3) when sleeping (on battery) | Enabled |
| Specify the system hibernate timeout (plugged in) | Enabled, 0 |
| Specify the system hibernate timeout (on battery) | Enabled, 0 |
-
-
-Admin Templates > System > Power Management > Video and Display Settings >
-Policy name | Value |
|---|
-
+ | Admin Templates>System>Power Management>Video and Display Settings |
| Turn off the display (plugged in) | 1 hour |
- | Turn off the display (on battery | 1 hour |
-
-
- Admin Templates > System > Logon
-Policy name | Value |
+
|---|
| Turn off the display (on battery | 1 hour |
-
- | Show first sign-in animation | Disabled |
+
| Admin Templates>System>Logon |
+
+ | Show first sign-in animation | Disabled |
| Hide entry points for Fast User Switching | Enabled |
- | Turn on convenience PIN sign-in | Disabled |
+
| Turn on convenience PIN sign-in | Disabled |
- | Turn off picture password sign-in | Enabled |
+
| Turn off picture password sign-in | Enabled |
- | Turn off app notification on the lock screen | Enabled |
+
| Turn off app notification on the lock screen | Enabled |
| Allow users to select when a password is required when resuming from connected standby | Disabled |
- | Block user from showing account details on sign-in | Enabled |
-
-
-Admin Templates > System > User Profiles
-Policy name | Value |
+
|---|
| Block user from showing account details on sign-in | Enabled |
-
- | Turn off the advertising ID | Enabled |
-
-
- Admin Templates > Windows Components
-Policy name | Value |
+
|---|
| Admin Templates>System>User Profiles |
+
+ | Turn off the advertising ID | Enabled |
+
+ | Admin Templates>Windows Components |
-
| Do not show Windows Tips | Enabled |
| Turn off Microsoft consumer experiences | Enabled |
- | Microsoft Passport for Work | Disabled |
+
| Microsoft Passport for Work | Disabled |
- | Prevent the usage of OneDrive for file storage | Enabled |
-
-
- Admin Templates > Windows Components > Biometrics
-Policy name | Value |
+
|---|
| Prevent the usage of OneDrive for file storage | Enabled |
-
- | Allow the use of biometrics | Disabled |
+
| Admin Templates>Windows Components>Biometrics |
+
+ | Allow the use of biometrics | Disabled |
| Allow users to log on using biometrics | Disabled |
| Allow domain users to log on using biometrics | Disabled |
-
-
- Admin Templates > Windows Components > Data Collection and Preview Builds
-Policy name | Value |
|---|
-
- | Toggle user control over Insider builds | Disabled |
+
| Admin Templates>Windows Components>Data Collection and Preview Builds |
+
+ | Toggle user control over Insider builds | Disabled |
| Disable pre-release features or settings | Disabled |
| Do not show feedback notifications | Enabled |
-
-
- Admin Templates > Windows Components > File Explorer
-Policy name | Value |
|---|
-
- | Show lock in the user tile menu | Disabled |
-
-
-Admin Templates > Windows Components > Maintenance Scheduler
-Policy name | Value |
+
|---|
| Admin Templates>Windows Components>File Explorer |
-
- | Automatic Maintenance Activation Boundary | 12am |
+
| Show lock in the user tile menu | Disabled |
+
+ | Admin Templates>Windows Components>Maintenance Scheduler |
+
+ | Automatic Maintenance Activation Boundary | 12am |
| Automatic Maintenance Random Delay | Enabled, 2 hours |
| Automatic Maintenance WakeUp Policy | Enabled |
-
-
- Admin Templates > Windows Components > Microsoft Edge
-Policy name | Value |
|---|
-
+ | Admin Templates>Windows Components>Microsoft Edge |
+
| Open a new tab with an empty tab | Disabled |
| Configure corporate home pages | Enabled, about:blank |
-
-
-Admin Templates > Windows Components > Search
-Policy name | Value |
|---|
-
+ | Admin Templates>Windows Components>Search |
+
| Allow Cortana | Disabled |
-
-
-Windows Settings > Security Settings > Local Policies > Security Options
-Policy name | Value |
|---|
-
- | Interactive logon: Do not display last user name | Enabled |
+
| Windows Settings>Security Settings>Local Policies>Security Options |
+
+ | Interactive logon: Do not display last user name | Enabled |
| Interactive logon: Sign-in last interactive user automatically after a system-initiated restart | Disabled |
| Shutdown: Allow system to be shut down without having to log on | Disabled |
- | User Account Control: Behavior of the elevation prompt for standard users | Auto deny |
+
| User Account Control: Behavior of the elevation prompt for standard users | Auto deny |
+
diff --git a/windows/manage/simple-bulk-provisioning.md b/windows/manage/simple-bulk-provisioning.md
deleted file mode 100644
index 2281431e75..0000000000
--- a/windows/manage/simple-bulk-provisioning.md
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: Simple bulk provisioning (Windows 10)
-description: Use Windows 10 Configuration Designer for easy provisioning packages.
-keywords: ["runtime provisioning", "provisioning package", "bulk provisioning"]
-ms.prod: W10
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: jdeckerMS
----
-
-# simple bulk provisioning
-
-adding text to make it build
\ No newline at end of file
diff --git a/windows/whats-new/new-provisioning-packages.md b/windows/whats-new/new-provisioning-packages.md
index fc61da97a9..62900c57c8 100644
--- a/windows/whats-new/new-provisioning-packages.md
+++ b/windows/whats-new/new-provisioning-packages.md
@@ -25,7 +25,7 @@ Provisioning packages are simple enough that with a short set of written instruc
## New in Windows 10, Version 1607
-The Windows Assessment and Deployment Kit (ADK) for Windows 10 included the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. Windows ICD for Windows 10, Version 1607, simplifies common provisioning scenarios.
+The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. Windows ICD for Windows 10, Version 1607, simplifies common provisioning scenarios.
@@ -46,7 +46,7 @@ Windows ICD in Windows 10, Version 1607, supports the following scenarios for IT
* Mobile Iron (password-string based enrollment)
* Other MDMs (cert-based enrollment)
-> **Note:** Windows ICD in Windows 10, Version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see Set up students' PCs to join domain (link to be added).
+> **Note:** Windows ICD in Windows 10, Version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index).
## Benefits of provisioning packages
@@ -76,15 +76,16 @@ The following table provides some examples of what can be configured using provi
| Customization options | Examples |
|--------------------------|-----------------------------------------------------------------------------------------------|
+| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters |
| Applications | Windows apps, line-of-business applications |
-| Bulk enrollment into MDM | Automatic enrollment into Microsoft Intune or a third-party MDM service |
+| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* |
| Certificates | Root certification authority (CA), client certificates |
| Connectivity profiles | Wi-Fi, proxy settings, Email |
| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
| Data assets | Documents, music, videos, pictures |
| Start menu customization | Start menu layout, application pinning |
| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on |
-
+\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices.
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
@@ -94,19 +95,13 @@ For details about the settings you can customize in provisioning packages, see [
With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must install the Windows Assessment and Deployment Kit (ADK) for Windows 10 [from the Windows Insider Program site](http://go.microsoft.com/fwlink/p/?linkid=533700).
-While running ADKsetup.exe, select the following features from the **Select the features you want to install** dialog box:
-
-- Deployment Tools
-
-- Windows Preinstallation Environment (Windows PE)
+While running ADKsetup.exe for Windows 10, version 1607, select the following feature from the **Select the features you want to install** dialog box:
- Windows Imaging and Configuration Designer (ICD)
-- Windows User State Migration Tool (USMT)
+> **Note:** In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features.
-Windows ICD depends on other tools in order to work correctly. If you only select Windows ICD in the installation wizard, the other tools listed above will also be selected for installation.
-
-Once you have installed Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
+After you install Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
## Applying a provisioning package to a device