Note: Windows 10 LTSB is not supported by Upgrade Readiness. See [Upgrade readiness requirements](upgrade-readiness-requirements.md) for more information. | +| Windows 10 | The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com)
Note: Windows 10 LTSB is not supported by Upgrade Readiness. See [Upgrade readiness requirements](upgrade-readiness-requirements.md) for more information. |
| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2976978 must be installed before you can download and install KB3150513. |
| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2952664 must be installed before you can download and install KB3150513. |
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 5b1e837e19..2e4f6d2da4 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -18,6 +18,165 @@ author: greg-lindsay
To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task.
+The following tables summarize different Windows 10 deployment options and requirements.
+
+| Scenario | Description | More information |
+| :---: | :---: | :---: |
+| [Windows AutoPilot](#windows-autopilot) | Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. |[Overview of Windows AutoPilot](https://docs.microsoft.com/en-us/windows/deployment/windows-10-autopilot) |
+| [In-place upgrade](#in-place-upgrade) | Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. |[Perform an in-place upgrade to Windows 10 with MDT](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit)
[Perform an in-place upgrade to Windows 10 using Configuration Manager](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager) |
+| [Subscription Activation](#windows-10-subscription-activation) | Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. |[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) |
+| [AAD / MDM](#dynamic-provisioning) | The device is automatically joined to AAD and configured by MDM. |[Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm) |
+| [Provisioning packages](#dynamic-provisioning) | Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. |[Configure devices without MDM](https://docs.microsoft.com/windows/configuration/configure-devices-without-mdm) |
+| [Bare metal](#new-computer) | Deploy a new device, or wipe an existing device and deploy with a fresh image. |[Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt)
[Install a new version of Windows on a new computer with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/install-new-windows-version-new-computer-bare-metal) |
+| [Refresh](#computer-refresh) | Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. |[Refresh a Windows 7 computer with Windows 10](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager) |
+| [Replace](#computer-replace) | Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. |[Replace a Windows 7 computer with a Windows 10 computer](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager) |
+
+Secenario details:
+
+
+
+
+
+
+
+
+ Category
+
+
+ Scenario
+
+
+ Windows 10 1703 or later
+
+
+ Windows 7 to Windows 10 1607
+
+
+ Apps & settings migrated
+
+
+
+
+ Modern
+
+
+ Windows AutoPilot
+
+
+ ✓
+
+
+ X
+
+
+ X
+
+
+
+
+ In-place upgrade
+
+
+ ✓
+
+
+ ✓
+
+
+ ✓
+
+
+
+
+ Dynamic
+
+
+ Subscription Activation
+
+
+ ✓
+
+
+ X
+
+
+ ✓
+
+
+
+
+ AAD / MDM
+
+
+ ✓
+
+
+ ✓
+
+
+ ✓
+
+
+
+
+ Provisioning packages
+
+
+ ✓
+
+
+ ✓
+
+
+ ✓
+
+
+
+
+ Traditional
+
+
+ Bare metal
+
+
+ ✓
+
+
+ ✓
+
+
+ X
+
+
+
+
+ Refresh
+
+
+ ✓
+
+
+ ✓
+
+
+ ✓
+
+
+
+
+ Replace
+
+
+ ✓
+
+
+ ✓
+
+
+ ✓
+
+
+
## Windows AutoPilot
Windows AutoPilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows AutoPilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
@@ -90,7 +249,7 @@ The traditional deployment scenario can be divided into different sub-scenarios.
- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
-###New computer
+### New computer
This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD).
The deployment process for the new machine scenario is as follows:
@@ -105,7 +264,7 @@ The deployment process for the new machine scenario is as follows:
After taking these steps, the computer is ready for use.
-###Computer refresh
+### Computer refresh
A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario.
The deployment process for the wipe-and-load scenario is as follows:
@@ -124,7 +283,7 @@ The deployment process for the wipe-and-load scenario is as follows:
After taking these steps, the machine is ready for use.
-###Computer replace
+### Computer replace
A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
The deployment process for the replace scenario is as follows:
diff --git a/windows/deployment/windows-10-deployment-workflow.md b/windows/deployment/windows-10-deployment-workflow.md
new file mode 100644
index 0000000000..51797cdd0a
--- /dev/null
+++ b/windows/deployment/windows-10-deployment-workflow.md
@@ -0,0 +1,17 @@
+---
+title: Windows 10 deployment workflow
+description: Scenarios, methods, tools, and requirements for deploying Windows 10.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.pagetype: deploy
+ms.sitesec: library
+author: greg-lindsay
+ms.date: 12/4/2017
+---
+
+# Windows 10 deployment workflow
+
+
+
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-deployment-tools.md).
\ No newline at end of file
diff --git a/windows/device-security/applocker/requirements-to-use-applocker.md b/windows/device-security/applocker/requirements-to-use-applocker.md
index ecd3859a24..96c05fcdee 100644
--- a/windows/device-security/applocker/requirements-to-use-applocker.md
+++ b/windows/device-security/applocker/requirements-to-use-applocker.md
@@ -37,9 +37,10 @@ The following table show the on which operating systems AppLocker features are s
| - | - | - | - | - |
| Windows 10| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
| Windows Server 2016
Windows Server 2012 R2
Windows Server 2012| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| |
-| Windows 8.1| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| Only the Enterprise edition supports AppLocker|
+| Windows 8.1 Pro| Yes| No| N/A||
+| Windows 8.1 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| |
| Windows RT 8.1| No| No| N/A||
-| Windows 8 Pro| No| No| N/A||
+| Windows 8 Pro| Yes| No| N/A||
| Windows 8 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL||
| Windows RT| No| No| N/A| |
| Windows Server 2008 R2 Standard| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.|
diff --git a/windows/device-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/device-security/enable-virtualization-based-protection-of-code-integrity.md
index 3dade6c79d..4483edb168 100644
--- a/windows/device-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/device-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -16,14 +16,14 @@ ms.date: 11/28/2017
- Windows 10
- Windows Server 2016
-Virtualization-based protection of code integrity (herein referred to as HVCI) is a powerful system mitigation, which leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.
+Virtualization-based protection of code integrity (herein referred to as Hypervisor-protected Code Integrity, or HVCI) is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.
Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor.
Some applications, including device drivers, may be incompatible with HVCI.
This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
-## How to Turn on virtualization-based protection of code integrity on the Windows 10 Fall Creators Update (version 1709)
+## How to turn on virtualization-based protection of code integrity on the Windows 10 Fall Creators Update (version 1709)
These steps apply to Windows 10 S, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
@@ -65,7 +65,7 @@ B. If you experience software or device malfunction after using the above proced
C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
-## How to Turn off HVCI on the Windows 10 Fall Creators Update
+## How to turn off HVCI on the Windows 10 Fall Creators Update
1. Rename or delete the SIPolicy.p7b file located at C:\Windows\System32\CodeIntegrity.
2. Restart the device.
diff --git a/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 35372481e9..f9f2c541a5 100644
--- a/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -178,9 +178,9 @@ Windows 10 supports features to help prevent sophisticated low-level malware li
Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, refer to the [Virtualization-based security](#virtual) section.
-- **Hyper-V Code Integrity (HVCI).** Hyper-V Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run.
+- **Hypervisor-protected Code Integrity (HVCI).** Hypervisor-protected Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run.
- When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services, including Hyper-V Code Integrity (HVCI). HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup.
+ When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services. HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup.
HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be directly modified.
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index dd929d6bbf..b4176ad214 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -17,6 +17,10 @@ ms.date: 11/21/2017
**Applies to:**
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
- Windows Server 2012 R2
- Windows Server 2016