diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md
index fc8a612b80..b6c34c4968 100644
--- a/browsers/edge/emie-to-improve-compatibility.md
+++ b/browsers/edge/emie-to-improve-compatibility.md
@@ -43,14 +43,14 @@ Microsoft Edge doesn't support ActiveX controls, Browser Helper Objects, VBScrip
### Set up Microsoft Edge to use the Enterprise Mode site list
-You must turn on the **Use Enterprise Mode Site List** Group Policy setting before Microsoft Edge can use the Enterprise Mode site list. This Group Policy applies to both Microsoft Edge and IE11, letting Microsoft Edge switch to IE11 as needed, based on the Enterprise Mode site list. For more info about IE11 and Enterprise Mode, see [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377).
+You must turn on the **Configure the Enterprise Mode Site List** Group Policy setting before Microsoft Edge can use the Enterprise Mode site list. This Group Policy applies to both Microsoft Edge and IE11, letting Microsoft Edge switch to IE11 as needed, based on the Enterprise Mode site list. For more info about IE11 and Enterprise Mode, see [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377).
> **Note**
> If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
**To turn on Enterprise Mode using Group Policy**
-1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Allows you to configure the Enterprise Mode Site list** setting.
Turning this setting on also requires you to create and store a site list.
+1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** policy.
Turning this setting on also requires you to create and store a site list.
2. Click **Enabled**, and then in the **Options** area, type the location to your site list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index 899c3da6e3..900f6cbb17 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -17,7 +17,7 @@ You can use the Group Policy setting, **Set a default associations configuration
**To set the default browser as Internet Explorer 11**
-1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.
+1. Open your Group Policy editor and go to the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.
Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268).
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index 0abcc7ac79..9b54f8a335 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -42,7 +42,8 @@ If you use [MDM, Microsoft Intune](#intune-kiosk), or a [provisioning package](#
>[!NOTE]
>Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed.
-### Start layout file for Intune
+
+### Start layout file for MDM (Intune and others)
Save the following sample as an XML file. You will select this file when you configure the kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile).
@@ -92,7 +93,7 @@ You will [create an XML file](#ppkg-kiosk) to define the kiosk configuration to
## Set up kiosk mode using Microsoft Intune or MDM (Windows 10, version 1803)
-For HoloLens devices that are managed by Microsoft Intune, you [create a device restriction profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk (Preview) settings](https://docs.microsoft.com/intune/device-restrictions-windows-holographic#kiosk-preview).
+For HoloLens devices that are managed by Microsoft Intune, you [create a device profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk settings](https://docs.microsoft.com/intune/kiosk-settings).
For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file.
@@ -212,8 +213,7 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest*
## More information
-Watch how to configure a kiosk in Microsoft Intune.
->[!VIDEO https://www.microsoft.com/videoplayer/embed/ce9992ab-9fea-465d-b773-ee960b990c4a?autoplay=false]
+
Watch how to configure a kiosk in a provisioning package.
>[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
\ No newline at end of file
diff --git a/devices/hololens/hololens-microsoft-layout-app.md b/devices/hololens/hololens-microsoft-layout-app.md
index d2357ed2ee..4f5540e858 100644
--- a/devices/hololens/hololens-microsoft-layout-app.md
+++ b/devices/hololens/hololens-microsoft-layout-app.md
@@ -25,7 +25,7 @@ Microsoft Layout works with a HoloLens, or with a Windows Mixed Reality headset
| OS requirements | Details |
|:----------------------------------|:-----------------------------------------------------------|
-| Build 10.0.17134.77 or above | See [Manage updates to HoloLens](hololens-updates.md) for instructions on upgrading to this build. |
+| Build 10.0.17134.77 or above | See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens) for instructions on upgrading to this build. |
#### Windows Mixed Reality headset requirements
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index 86631b4976..c1a90edadb 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -22,7 +22,7 @@ Some of the HoloLens configurations that you can apply in a provisioning package
- Set up a Wi-Fi connection
- Apply certificates to the device
-To create provisioning packages, you must install Windows Configuration Designer [from Microsoft Store]((https://www.microsoft.com/store/apps/9nblggh4tx22)) or [from the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
+To create provisioning packages, you must install Windows Configuration Designer [from Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) or [from the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
diff --git a/devices/hololens/hololens-setup.md b/devices/hololens/hololens-setup.md
index 8850ba0f96..0f62fc2e6e 100644
--- a/devices/hololens/hololens-setup.md
+++ b/devices/hololens/hololens-setup.md
@@ -19,7 +19,6 @@ Before you get started setting up your HoloLens, make sure you have a Wi-Fi netw
The first time you use your HoloLens, you'll be guided through connecting to a Wi-Fi network. You need to connect HoloLens to a Wi-Fi network with Internet connectivity so that the user account can be authenticated.
- It can be an open Wi-Fi or password-protected Wi-Fi network.
-- The Wi-Fi network cannot require you to navigate to a webpage to connect.
- The Wi-Fi network cannot require certificates to connect.
- The Wi-Fi network does not need to provide access to enterprise resources or intranet sites.
diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md
index 0b91b6f361..e10552862b 100644
--- a/devices/hololens/hololens-updates.md
+++ b/devices/hololens/hololens-updates.md
@@ -12,7 +12,7 @@ ms.date: 04/30/2018
# Manage updates to HoloLens
-
+>**Looking for how to get the latest update? See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens).**
Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. As with desktop devices, administrators can manage updates to the HoloLens operating system using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb).
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index c769840d86..a01bbdbab3 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -44,7 +44,7 @@ Microsoft publishes two types of Surface Hub releases broadly on an ongoing basi
In order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10, including Surface Hub, will be cumulative. This means new feature updates and quality updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 quality update. For example, if a quality update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.
-The Surface Hub operating system receives updates on the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes). Like other editions of Windows 10, the servicing lifetime ois finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
+The Surface Hub operating system receives updates on the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes). Like other editions of Windows 10, the servicing lifetime is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md
index 257bc6b58b..8ddafa924a 100644
--- a/devices/surface-hub/surface-hub-downloads.md
+++ b/devices/surface-hub/surface-hub-downloads.md
@@ -18,7 +18,7 @@ This topic provides links to useful Surface Hub documents, such as product datas
| --- | --- |
| [Surface Hub Site Readiness Guide (PDF)](http://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) | Make sure your site is ready for Surface Hub, including structural and power requirements, and get technical specs for Surface Hub. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov) |
| [Surface Hub Setup Guide (English, French, Spanish) (PDF)](http://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf) | Get a quick overview of how to set up the environment for your new Surface Hub. |
-| [Surface Hub Quick Reference Guide (PDF)](http://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface Hub Quick Reference Guide_en-us.pdf) | Use this quick reference guide to get information about key features and functions of the Surface Hub. |
+| [Surface Hub Quick Reference Guide (PDF)](http://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface%20Hub%20Quick%20Reference%20Guide_en-us.pdf) | Use this quick reference guide to get information about key features and functions of the Surface Hub. |
| [Surface Hub User Guide (PDF)](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. |
| [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hub’s internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC. |
| [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. |
diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md
index 16b5c8a0e2..856e1c3a19 100644
--- a/education/get-started/inclusive-classroom-it-admin.md
+++ b/education/get-started/inclusive-classroom-it-admin.md
@@ -1,7 +1,7 @@
---
title: Inclusive Classroom IT Admin Guide
description: Learning which Inclusive Classroom features are available in which apps and in which versions of Microsoft Office.
-keywords: Test
+keywords: Inclusive Classroom, Admin, Administrator, Microsoft Intune, Intune, Ease of Access, Office 365, account
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -11,43 +11,72 @@ ms.pagetype: edu
ROBOTS: noindex,nofollow
author: alhughes
ms.author: alhughes
-ms.date: 03/18/2018
+ms.date: 06/12/2018
---
-|Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad |
-|---|---|---|---|---|---|---|---|---|---|
-| Read aloud with simultaneous highlighting |
- OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
- Word 2016, Word Online, Word Mac, Word for iOS
- Outlook 2016, Outlook Web Access
- Office Lens on iOS
| | X
| X
| X
| | X
| | |
-| Adjustable text spacing and font size | - OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
- Word 2016, Word Online, Word Mac, Word for iPad
- Outlook Web Access
- Office Lens on iOS
| | X
|X
| X
| | X
| | |
-| Syllabification | - OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
- Word Online
- Outlook Web Access
| | X
| X
| X
| | X
| | |
-| Parts of speech identification | - OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
- Word 2016, Word Online, Word Mac, Word for iOS
- Outlook 2016, Outlook Web Access
- Office Lens on iOS
| | X
| | | | X
| | X
|
-| Line focus mode | - OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
- Word 2016, Word Online, Word Mac, Word for iOS
- Outlook 2016, Outlook Web Access
- Office Lens on iOS
| | | | | | X
| | |
-| Picture Dictionary | - OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
- Word 2016, Word Online, Word Mac, Word for iOS
- Outlook 2016, Outlook Web Access
- Office Lens on iOS
| | | | | | X
| | X
|
+# Inclusive Classroom IT Admin Guide
+The following guide will show you what Inclusive Classroom features are available in which apps and which versions of Microsoft Office.
+You will also learn how to deploy apps using Microsoft Intune, turn on or off Ease of access settings for users, and change how you pay for your Office 365 subscription.
+
+1. [Inclusive Classroom features](#features)
+2. [Deploying apps with Microsoft Intune](#intune)
+3. [How to show/hide the Ease of Accesss settings for text in Windows 10](#ease)
+4. [How to change your Office 365 account from monthly, semi-annual, or yearly](#account)
+
+## Inclusive Classroom features
+|Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) |
+|---|---|---|---|---|---|---|
+| Read aloud with simultaneous highlighting | - OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
- Word 2016, Word Online, Word Mac, Word for iOS
- Outlook 2016, Outlook Web Access
- Office Lens on iOS, Android
| | X
(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)
| X
| X
(N/A for Outlook PC)
| X
(N/A for any OneNote apps or Outlook PC)
|
+| Adjustable text spacing and font size | - OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
- Word 2016, Word Online, Word Mac, Word for iPad
- Outlook Web Access
- Office Lens on iOS, Android
| | X
(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)
|X
| X
| X
(N/A for any OneNote apps)
|
+| Syllabification | - OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
- Word Online
- Outlook Web Access
| | X
(N/A for Word for iOS, Word Online, Outlook Web Access)
| X
(N/A for Word iOS)
| X
(N/A for Word iOS)
| X
(N/A for any OneNote apps or Word iOS)
|
+| Parts of speech identification | - OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
- Word 2016, Word Online, Word Mac, Word for iOS
- Outlook 2016, Outlook Web Access
- Office Lens on iOS, Android
| | X
(N/A for Word Online, Outlook Web Access)
| X
(N/A for any OneNote apps)
| X
(N/A for any OneNote apps)
| X
(N/A for any OneNote apps)
|
+| Line focus mode | - Word 2016, Word Online, Word Mac, Word for iOS
- Outlook 2016, Outlook Web Access
- Office Lens on iOS, Android
| | X
(N/A for Word Online, Outlook Web Access)
| X
(N/A for any OneNote apps)
| X
(N/A for any OneNote apps)
| X
(N/A for any OneNote apps)
|
+| Picture Dictionary | - Word 2016, Word Online, Word Mac, Word for iOS
- Outlook 2016, Outlook Web Access
- Office Lens on iOS, Android
| | X
(N/A for Word Online, Outlook Web Access)
| X
(N/A for any OneNote apps)
| X
(N/A for any OneNote apps)
| X
(N/A for any OneNote apps)
|
-| Writing and proofing features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad |
-|---|---|---|---|---|---|---|---|---|---|
-| Dictation | - OneNote 2016, OneNote for Windows 10
- Word 2016
- Outlook 2016
- PowerPoint 2016
| | X
| X
| | | | | |
-| Spelling suggestions for phonetic misspellings | - Word 2016, Word Online, Word for Mac
- Outlook 2016
| | X
| X
| X
| | | | |
-| Synonyms alongside spelling suggestions that can be read aloud | | | X
| X
| X
| | | | |
-| Grammar checks | - Word 2016, Word Online, Word for Mac
- Outlook 2016
| | X
| X
| | | | | |
-| Customizable writing critiques | - Word 2016, Word for Mac
- Outlook 2016
| | X
| X
| | | | | |
-| Tell me what you want to do | - Office 2016
- Office Online
- Office on iOS, Android, Windows 10
| | X
| X
| X
| | X
| | |
-| Editor | | | X
| X
| | | | | |
+| Writing and proofing features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) |
+|---|---|---|---|---|---|---|
+| Dictation | - OneNote 2016, OneNote for Windows 10
- Word 2016
- Outlook 2016
- PowerPoint 2016
| | X
| X
| | |
+| Spelling suggestions for phonetic misspellings | - Word 2016, Word Online, Word for Mac
- Outlook 2016
| | X
| X
| X
| |
+| Synonyms alongside spelling suggestions that can be read aloud | | | X
| X
| X
| |
+| Grammar checks | - Word 2016, Word Online, Word for Mac
- Outlook 2016
| | X
| X
| | |
+| Customizable writing critiques | - Word 2016, Word for Mac
- Outlook 2016
| | X
| X
| | |
+| Tell me what you want to do | - Office 2016
- Office Online
- Office on iOS, Android, Windows 10
| | X
| X
| X
| |
+| Editor | | | X
| X
| | |
-| Creating accessible content features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad |
-|---|---|---|---|---|---|---|---|---|---|
-| Accessibility Checker | - All Office 365 authoring applications on PC, Mac, Web
| | | | | | | | |
-| Accessible Templates | - Word for PCs, Mac
- Excel for PCs, Mac
- PowerPoint for PCs, Mac
- Sway on iOS, Web, Windows 10
| | | | | | | | |
-| Ability to add alt-text for images | - Word for PCs (includes automatic suggestions for image descriptions)
- SharePoint Online (includes automatic suggestions for image descriptions)
- PowerPoint for PCs (includes automatic suggestions for image descriptions)
- OneNote (includes automatic extraction of text in images)
- All Office 365 authoring applications (include ability to add alt-text manually)
| | | | | | | | |
-| Ability to add captions to videos | - PowerPoint for PCs
- Sway on iOS, Web, Windows 10
| | | | | | | | |
-| Export as tagged PDF | - Word for PCs, Mac
- Sway on iOS, Web, Windows 10
| | | | | | | | |
-| Ability to request accessible content | | | | | | | | | |
+| Creating accessible content features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) |
+|---|---|---|---|---|---|---|
+| Accessibility Checker | - All Office 365 authoring applications on PC, Mac, Web
| | X
| | | |
+| Accessible Templates | - Word for PCs, Mac
- Excel for PCs, Mac
- PowerPoint for PCs, Mac
- Sway on iOS, Web, Windows 10
| | X
| | | |
+| Ability to add alt-text for images | - Word for PCs (includes automatic suggestions for image descriptions)
- SharePoint Online (includes automatic suggestions for image descriptions)
- PowerPoint for PCs (includes automatic suggestions for image descriptions)
- OneNote (includes automatic extraction of text in images)
- All Office 365 authoring applications (include ability to add alt-text manually)
| | X
| | | |
+| Ability to add captions to videos | - PowerPoint for PCs
- Sway on iOS, Web, Windows 10
- Microsoft Stream (includes ability to have captions auto-generated for videos in English and Spanish)
| | X
| | | |
+| Export as tagged PDF | - Word for PCs, Mac
- Sway on iOS, Web, Windows 10
| | | | | |
+| Ability to request accessible content | | | | | | |
+| Communication features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) |
+|---|---|---|---|---|---|---|
+| Microsoft Translator | - Word 2016
- Excel 2016
- "Translator for Outlook" Add-in
- PowerPoint 2016 (and PowerPoint Garage Add-in)
| X
| X
| X
| X
| X
|
+
-| Communication features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad |
-|---|---|---|---|---|---|---|---|---|---|
-| Translate Language of Document | | | | | | | | | |
-| PowerPoint Translator | | | | | | | | | |
-
\ No newline at end of file
+## Deploying apps with Microsoft Intune
+Microsoft Intune can be used to deploy apps such as Immersive Reader and Microsoft Translator to all the devices connected in the same groups.
+1. Go to the Intune for Education portal and log in with your account.
+2. Select the **Apps** page.
+3. Find the app you're looking for in the included list (if it's not there, you can select **Add app** and download it from the Microsoft Store).
+4. Selecting your app will show you if it has been deployed to any of the groups that have been set up. From the **Groups** page you can select **Change group assignment** and choose which groups you want to deploy the app(s) to.
+
+## How to show/hide the Ease of access settings for text in Windows 10
+The Ease of access settings in Windows 10 are very useful accessibility tools, but having those options could be a bit much for everyone in a group to have in their device. With the following instructions you can chose to hide or show the Ease of access settings on users' devices.
+1. Go to the Intune for Education portal and login with your account.
+2. Select the **Groups** page and then select your desired group.
+3. Select **Settings** and under the **User access and device settings** section you will find the toggle to set **Ease of access** to **Blocked** or **Not blocked**.
+4. Select **Save** after making your selection.
+
+## How to change your Office 365 account from monthly, semi-annual, or yearly
+Depending on how you plan to do billing, you can have Office 365 accounts that are set to renew monthly, semi-annually, or yearly.
+1. Sign-in to your services and subscriptions with your Microsoft account.
+2. Find the subscription in the list, then select **Change how you pay**.
+ >**Note:** If you don't see **Change how you pay**, it could be because auto-renew is not turned on. You won't be able to change how you pay if auto-renew is off because the subscription has already been paid and will end when its duration expires.
+3. Choose a new way to pay from the list or select **Add a new way to pay** and follow the instructions.
\ No newline at end of file
diff --git a/education/index.md b/education/index.md
index 424b52680d..c78b456b9e 100644
--- a/education/index.md
+++ b/education/index.md
@@ -6,6 +6,7 @@ description: Learn about product documentation and resources available for schoo
author: CelesteDG
ms.topic: hub-page
ms.author: celested
+ms.collection: ITAdminEDU
ms.date: 10/30/2017
---
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 24bde1c0c2..22dd70e019 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -2,7 +2,7 @@
title: Use Set up School PCs app
description: Learn how the Set up School PCs app works and how to use it.
keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use
-ms.prod: w10
+ms.prod: w10
ms.technology: Windows
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -198,7 +198,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
If you select this option, this adds a **Guest** account button in the PC's sign-in screen to allow anyone to use the PC.
- - Select **Enable Autopilot Reset** to reset student PCs from the lock screen any time and apply original settings and device management enrollment (Azure AD and MDM) so they’re ready to use. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app.
+ - Select **Enable Autopilot Reset** to reset student PCs from the lock screen any time and apply original settings and device management enrollment (Azure AD and MDM) so they're ready to use. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app.
- To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background.
**Figure 4** - Configure student PC settings
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md b/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md
index 432f95693e..403b4c37a9 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md
@@ -7,7 +7,7 @@ ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 06/16/2016
+ms.date: 06/15/2018
---
@@ -16,18 +16,17 @@ ms.date: 06/16/2016
In order to complete the **appv\_server\_setup.exe** Server setup successfully using the command line, you must specify and combine multiple parameters.
-**To Install the App-V 5.0 server using a script**
+Use the following tables for more information about installing the App-V 5.0 server using the command line.
-- Use the following tables for more information about installing the App-V 5.0 server using the command line.
+>[!NOTE]
+>The information in the following tables can also be accessed using the command line by typing the following command:
+>```
+> appv\_server\_setup.exe /?
+>```
- **Note**
- The information in the following tables can also be accessed using the command line by typing the following command: **appv\_server\_setup.exe /?**.
+## Common parameters and Examples
-
-
- **Common parameters and Examples**
-
-
+
@@ -67,10 +66,8 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
-
-
+
@@ -109,11 +106,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
/EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”
-
+
-
-
-
+
@@ -153,10 +148,8 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
-
-
-
+
+
@@ -191,9 +184,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
-
-
+
@@ -228,9 +219,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
-
-
+
@@ -255,9 +244,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
-
-
+
@@ -298,9 +285,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
-
-
+
@@ -339,9 +324,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
-
-
+
@@ -380,9 +363,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
-
-
+
@@ -417,9 +398,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
-
-
+
@@ -454,13 +433,11 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
+## Parameter Definitions
- **Parameter Definitions**
+### General Parameters
- **General Parameters**
-
-
+
@@ -503,11 +480,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
+### Management Server Installation Parameters
- **Management Server Installation Parameters**
-
-
+
@@ -538,11 +513,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
+### Parameters for the Management Server Database
- **Parameters for the Management Server Database**
-
-
+
@@ -585,11 +558,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
+### Parameters for Installing Publishing Server
- **Parameters for Installing Publishing Server**
-
-
+
@@ -620,11 +591,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
+### Parameters for Reporting Server
- **Parameters for Reporting Server**
-
-
+
@@ -653,9 +622,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
- **Parameters for using an Existing Reporting Server Database**
+### Parameters for using an Existing Reporting Server Database
-
+
@@ -690,11 +659,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
+### Parameters for installing Reporting Server Database
- **Parameters for installing Reporting Server Database**
-
-
+
@@ -733,11 +700,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
-
+### Parameters for using an existing Management Server Database
- **Parameters for using an existing Management Server Database**
-
-
+
@@ -770,15 +735,13 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
Specifies the name of the existing management database that should be used. Example usage: /EXISITING_MANAGEMENT_DB_NAME=”AppVMgmtDB”. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.
Got a suggestion for App-V? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). Got an App-V issue? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). |
-
-
-
-
-
+
+
+
+
## Related topics
-
[Deploying the App-V 5.0 Server](deploying-the-app-v-50-server.md)
diff --git a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
index c8ba024eef..2a97dc6cbb 100644
--- a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
+++ b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
@@ -7,7 +7,7 @@ ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
ms.prod: w10
-ms.date: 05/23/2018
+ms.date: 06/15/2018
---
# How to Move the MBAM 2.5 Databases
@@ -64,8 +64,8 @@ The high-level steps for moving the Recovery Database are:
To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
-```syntax
-PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
+```powershell
+Stop-Website "Microsoft BitLocker Administration and Monitoring"
```
@@ -130,8 +130,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
4. In Windows PowerShell, run the script that is stored in the file and similar to the following:
- ```syntax
- PS C:\> Invoke-Sqlcmd -InputFile
+ ```powershell
+ Invoke-Sqlcmd -InputFile
'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
5. Use the following value to replace the values in the code example with values that match your environment:
@@ -144,24 +144,24 @@ Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** fi
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
-```syntax
-PS C:\> Copy-Item “Z:\MBAM Recovery Database Data.bak”
+```powershell
+Copy-Item “Z:\MBAM Recovery Database Data.bak”
\\$SERVERNAME$\$DESTINATIONSHARE$
-PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFile”
+Copy-Item “Z:\SQLServerInstanceCertificateFile”
\\$SERVERNAME$\$DESTINATIONSHARE$
-PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey”
+Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey”
\\$SERVERNAME$\$DESTINATIONSHARE$
```
Use the information in the following table to replace the values in the code example with values that match your environment.
-| **Parameter** | **Description** |
-|----------------------|---------------------------------------------------------------|
-| $SERVERNAME$ | Name of the server to which the files will be copied. |
+| **Parameter** | **Description** |
+|----------------------|------------------|
+| $SERVERNAME$ | Name of the server to which the files will be copied. |
| $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. |
-|---|---|
+
### Restore the Recovery Database on Server B
@@ -173,7 +173,7 @@ Use the information in the following table to replace the values in the code exa
4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
- ```syntax
+ ```
-- Restore MBAM Recovery Database.
USE master
@@ -219,8 +219,8 @@ Use the information in the following table to replace the values in the code exa
6. In Windows PowerShell, run the script that is stored in the file and similar to the following:
- ```syntax
- PS C:\> Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
+ ```powershell
+ Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
7. Use the following value to replace the values in the code example with values that match your environment.
@@ -245,19 +245,19 @@ Use the information in the following table to replace the values in the code exa
6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
- ```syntax
- PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\MBAM Server\\Web" /v
+ ```powershell
+ reg add "HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\MBAM Server\\Web" /v
RecoveryDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
- PS C:\> Set-WebConfigurationProperty
+ Set-WebConfigurationProperty
'connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath
"IIS:\sites\Microsoft Bitlocker Administration and
Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data
Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and
Hardware;Integrated Security=SSPI;”
- PS C:\> Set-WebConfigurationProperty
+ Set-WebConfigurationProperty
'connectionStrings/add[\@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]'
-PSPath "IIS:\sites\Microsoft Bitlocker Administration and
Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value
@@ -271,52 +271,11 @@ Use the information in the following table to replace the values in the code exa
7. Use the following table to replace the values in the code example with values that match your environment.
- ```html
-
+ |Parameter|Description|
+ |---------|-----------|
+ |$SERVERNAME$/\$SQLINSTANCENAME$|Server name and instance of SQL Server where the Recovery Database is located.|
+ |$DATABASE$|Name of the Recovery database.|
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- $SERVERNAME$\$SQLINSTANCENAME$ |
-
- Server name and instance of SQL Server where the Recovery Database is located. |
-
-
-
-
-
- $DATABASE$ |
-
- Name of the Recovery database. |
-
-
-
-
-
-
-
- ```
### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
@@ -334,8 +293,8 @@ On the server that is running the Administration and Monitoring Website, use the
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
-```syntax
-PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
+```powershell
+Start-Website "Microsoft BitLocker Administration and Monitoring"
```
>[!NOTE]
@@ -366,8 +325,8 @@ The high-level steps for moving the Compliance and Audit Database are:
To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
-```syntax
-PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
+```powershell
+Stop-Website "Microsoft BitLocker Administration and Monitoring"
```
@@ -380,8 +339,7 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
2. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
- ```syntax
-
+ ```
USE master;
GO
@@ -414,8 +372,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
3. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following:
- ```syntax
- PS C:\> Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" –ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
+ ```powershell
+ Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" –ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
@@ -429,10 +387,9 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
- ```syntax
- PS C:\> Copy-Item "Z:\MBAM Compliance Status Database Data.bak"
+ ```powershell
+ Copy-Item "Z:\MBAM Compliance Status Database Data.bak"
\\$SERVERNAME$\$DESTINATIONSHARE$
-
```
3. Using the following table, replace the values in the code example with values that match your environment.
@@ -441,7 +398,7 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
|----------------------|---------------------------------------------------------------|
| $SERVERNAME$ | Name of the server to which the files will be copied. |
| $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. |
- |---|---|
+
### Restore the Compliance and Audit Database on Server B
@@ -453,7 +410,7 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
- ```syntax
+ ```
-- Create MBAM Compliance Status Database Data logical backup devices.
Use master
@@ -472,8 +429,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
5. In Windows PowerShell, run the script that is stored in the file and similar to the following:
- ```syntax
- PS C:\> Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
+ ```powershell
+ Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
@@ -500,8 +457,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
- ```syntax
- PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v
+ ```powershell
+ reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v
ComplianceDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
@@ -512,52 +469,10 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
7. Using the following table, replace the values in the code example with values that match your environment.
- ```html
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- $SERVERNAME$\$SQLINSTANCENAME$ |
-
- Server name and instance of SQL Server where the Recovery Database is located. |
-
-
-
-
-
- $DATABASE$ |
-
- Name of the recovered database. |
-
-
-
-
-
-
-
- ```
+ |Parameter | Description |
+ |---------|------------|
+ |$SERVERNAME$\$SQLINSTANCENAME$ | Server name and instance of SQL Server where the Recovery Database is located.|
+ |$DATABASE$|Name of the recovered database.|
### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
@@ -575,8 +490,8 @@ On the server that is running the Administration and Monitoring Website, use the
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
-```syntax
-PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
+```powershell
+Start-Website "Microsoft BitLocker Administration and Monitoring"
```
diff --git a/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md b/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md
index cc36387362..81fdf55268 100644
--- a/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md
+++ b/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md
@@ -7,7 +7,7 @@ ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
ms.prod: w10
-ms.date: 06/16/2016
+ms.date: 06/15/2018
---
@@ -34,178 +34,61 @@ The following image and table explain the features in an MBAM Stand-alone topolo
-Feature type
-Feature
-Description
-Database
-
-Recovery Database
-
-This database stores recovery data that is collected from MBAM client computers.
-
-This feature is configured on a server running Windows Server and a supported SQL Server instance.
-
-Compliance and Audit Database
-
-This database stores compliance data, which is used primarily for the Reports that SQL Server Reporting Services hosts.
-
-This feature is configured on a server running Windows Server and a supported SQL Server instance.
-
-Compliance and Audit Reports
-
-Reporting Web Service
-
-This web service enables communication between the Administration and Monitoring Website and the SQL Server instance where reporting data is stored.
-
-This feature is installed on a server running Windows Server.
-
-Reporting Website (Administration and Monitoring Website)
-
-You view Reports from the Administration and Monitoring Website. The Reports provide recovery audit and compliance status data about the client computers in your enterprise.
-
-This feature is configured on a server running Windows Server.
-
-SQL Server Reporting Services (SSRS)
-
-Reports are configured in an SSRS database instance. Reports can be viewed directly from SSRS or from the Administration and Monitoring Website.
-
-This feature is configured on a server running Windows Server and a supported SQL Server instance that is running SSRS.
-
-Self-Service Server
-
-Self-Service Web Service
-
-This web service is used by the MBAM Client and the Administration and Monitoring Website and Self-Service Portal to communicate to the Recovery Database.
-
-This feature is installed on a computer running Windows Server.
+|Feature type|Description|Database|
+|-|-|-|
+|Recovery Database|This database stores recovery data that is collected from MBAM client computers.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
+|Compliance and Audit Database|This database stores compliance data, which is used primarily for the Reports that SQL Server Reporting Services hosts.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
+|Compliance and Audit Reports|||
+|Reporting Web Service|This web service enables communication between the Administration and Monitoring Website and the SQL Server instance where reporting data is stored.|This feature is installed on a server running Windows Server.|
+|Reporting Website (Administration and Monitoring Website)|You view Reports from the Administration and Monitoring Website. The Reports provide recovery audit and compliance status data about the client computers in your enterprise.|This feature is configured on a server running Windows Server.|
+|SQL Server Reporting Services (SSRS)|Reports are configured in an SSRS database instance. Reports can be viewed directly from SSRS or from the Administration and Monitoring Website.|This feature is configured on a server running Windows Server and a supported SQL Server instance that is running SSRS.|
+|Self-Service Server|||
+|Self-Service Web Service|This web service is used by the MBAM Client and the Administration and Monitoring Website and Self-Service Portal to communicate to the Recovery Database.|This feature is installed on a computer running Windows Server.|
+|Self-Service Website (Self-Service Portal)|This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.|This feature is configured on a computer running Windows Server.|
+|Administration and Monitoring Server|||
+|Administration and Monitoring Web Service|The Monitoring Web Service is used by the MBAM Client and the websites to communicate to the databases.|This feature is installed on a computer running Windows Server.|
**Important**
The Self-Service Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1, in which the MBAM Client, the Administration and Monitoring Website, and the Self-Service Portal communicate directly with the Recovery Database.
-
-
-Self-Service Website (Self-Service Portal)
-
-This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.
-
-This feature is configured on a computer running Windows Server.
-
-Administration and Monitoring Server
-
-Administration and Monitoring Web Service
-
-The Monitoring Web Service is used by the MBAM Client and the websites to communicate to the databases.
-
-This feature is installed on a computer running Windows Server.
-
**Important**
The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database.
-
-
-
-Administration and Monitoring Website (also known as the Help Desk
-
-This Website is used by Help Desk users (users with the MBAM Report Users rights) to help end users regain access to their computers when they forget their PIN or password.
-
-This feature is configured on a computer running Windows Server.
-
## System Center Configuration Manager Integration topology
-
The following image and table explain the features in the System Center Configuration Manager Integration topology.
-Feature type
-Feature
-Description
-Self-Service Server
-
-Self-Service Web Service
-
-This web service is used by the MBAM Client and the Self-Service Portal to communicate to the Recovery Database.
-
-This feature is installed on a computer running Windows Server.
-
**Important**
The Self-Service Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1, in which the MBAM Client, the Administration and Monitoring Website, and the Self-Service Portal communicate directly with the Recovery Database.
-
-
-Self-Service Website
-
-This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.
-
-This feature is configured on a computer running Windows Server.
-
-Administration and Monitoring Server/Recovery Audit Report
-
-Administration and Monitoring Web Service
-
-This web service enables communication between the Administration and Monitoring Website and the SQL Server databases where reporting data is stored.
-
-This feature is installed on a server running Windows Server.
-
**Warning**
The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database.
-
-
-Administration and Monitoring Website
-
-The Recovery Audit report is viewed from the Administration and Monitoring Website. Use the Configuration Manager console to view all other reports, or view reports directly from SQL Server Reporting Services.
-
-This feature is configured on a server running Windows Server.
-
-Databases
-
-Recovery Database
-
-This database stores recovery data that is collected from MBAM client computers.
-
-This feature is configured on a server running Windows Server and a supported SQL Server instance.
-
-Audit Database
-
-This database stores audit information about recovery attempts and activity.
-
-This feature is configured on a server running Windows Server and a supported SQL Server instance.
-
-Configuration Manager Features
-
-Configuration Manager Management console
-
-This console is built into Configuration Manager and is used to view reports.
-
-For viewing reports only, this feature can be installed on any server or client computer.
-
-Configuration Manager Reports
-
-Reports show compliance and recovery audit data for client computers in your enterprise.
-
-The Reports feature is installed on a server running Windows Server and SSRS, and Reports run on a supported SQL Server instance. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.
-
-SQL Server Reporting Services
-
-SSRS enables the MBAM Reports. Reports can be viewed directly from SSRS or from the Configuration Manager console.
-
-SSRS is installed on a server running Windows Server. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.
-
-
-
+|Feature type|Description|
+|-|-|
+|Self-Service Server|||
+|Self-Service Web Service|This web service is used by the MBAM Client and the Self-Service Portal to communicate to the Recovery Database.|This feature is installed on a computer running Windows Server.|
+|Self-Service Website|This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.|This feature is configured on a computer running Windows Server.|
+|Administration and Monitoring Server/Recovery Audit Report|||
+|Administration and Monitoring Web Service|This web service enables communication between the Administration and Monitoring Website and the SQL Server databases where reporting data is stored.|This feature is installed on a server running Windows Server.|
+|Administration and Monitoring Website|The Recovery Audit report is viewed from the Administration and Monitoring Website. Use the Configuration Manager console to view all other reports, or view reports directly from SQL Server Reporting Services.|This feature is configured on a server running Windows Server.|
+|Databases|||
+|Recovery Database|This database stores recovery data that is collected from MBAM client computers.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
+|Audit Database|This database stores audit information about recovery attempts and activity.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
+|Configuration Manager Features|||
+|Configuration Manager Management console|This console is built into Configuration Manager and is used to view reports.|For viewing reports only, this feature can be installed on any server or client computer.|
+|Configuration Manager Reports|Reports show compliance and recovery audit data for client computers in your enterprise.|The Reports feature is installed on a server running Windows Server and SSRS, and Reports run on a supported SQL Server instance. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.|
+|SQL Server Reporting Services|SSRS enables the MBAM Reports. Reports can be viewed directly from SSRS or from the Configuration Manager console.|SSRS is installed on a server running Windows Server. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.|
## Related topics
-
[High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)
[Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
-
-
-
## Got a suggestion for MBAM?
- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
index a838e4c9c7..b183080d0a 100644
--- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
+++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
@@ -7,7 +7,7 @@ ms.pagetype: mdop
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w8
-ms.date: 07/26/2017
+ms.date: 06/15/2018
---
@@ -18,7 +18,6 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
## MDOP Group Policy templates
-
**How to download and deploy the MDOP Group Policy templates**
1. Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531)
@@ -28,17 +27,15 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
**Warning**
Do not extract the templates directly to the Group Policy deployment directory. Multiple technologies and versions are bundled in this file.
-
-
3. In the extracted folder, locate the technology-version .admx file. Certain MDOP technologies have multiple sets of Group Policy Objects (GPOs). For example, MBAM includes MBAM Management settings and MBAM User settings.
4. Locate the appropriate .adml file by language-culture (that is, *en-us* for English-United States).
5. Copy the .admx and .adml files to a policy definition folder. Depending on where you store the templates, you can configure Group Policy settings from the local device or from any computer on the domain.
- **Local files:** To configure Group Policy settings from the local device, copy template files to the following locations:
+ - **Local files:** To configure Group Policy settings from the local device, copy template files to the following locations:
-
+
@@ -61,11 +58,9 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
-
+ - **Domain central store:** To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller:
- **Domain central store:** To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller:
-
-
+
@@ -89,9 +84,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
-
-
-6. Edit the Group Policy settings using Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM) to configure Group Policy settings for the MDOP technology.
+6. Edit the Group Policy settings using Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM) to configure Group Policy settings for the MDOP technology.
### MDOP Group Policy by technology
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index fc29d300b3..e2988a84c9 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -68,7 +68,7 @@ We’ve been working on bug fixes and performance improvements to provide you a
- Bug fixes and performance improvements
[October 2017](release-history-microsoft-store-business-education.md#october-2017)
-- Bug fixes and permformance improvements
+- Bug fixes and performance improvements
[September 2017](release-history-microsoft-store-business-education.md#september-2017)
- Manage Windows device deployment with Windows Autopilot Deployment
diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index ce1b3601b9..be2acfa151 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -1,42 +1,46 @@
---
-title: How to Apply the Deployment Configuration File by Using Windows PowerShell (Windows 10)
-description: How to Apply the Deployment Configuration File by Using Windows PowerShell
+title: How to apply the deployment configuration file by using Windows PowerShell (Windows 10)
+description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10.
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/15/2018
---
+# How to apply the deployment configuration file by using Windows PowerShell
+>Applies to: Windows 10, version 1607
-# How to Apply the Deployment Configuration File by Using Windows PowerShell
+When you add or set a package to a computer running the App-V client before it's been published, a dynamic deployment configuration file is applied to it. The dynamic deployment configuration file configures the default settings for the package that all users share on the computer running the App-V client. This section will tell you how to use a deployment configuration file.
-**Applies to**
-- Windows 10, version 1607
+## Apply the deployment configuration file with Windows PowerShell
-The dynamic deployment configuration file is applied when a package is added or set to a computer running the App-V client before the package has been published. The file configures the default settings for package for all users on the computer running the App-V client. This section describes the steps used to use a deployment configuration file. The procedure is based on the following example and assumes the following package and configuration files exist on a computer:
+>[!NOTE]
+>The following example cmdlet uses the following two file paths for the package and configuration files:
+ >
+ >* C:\\Packages\\Contoso\\MyApp.appv
+ >* C:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml
+ >
+>If your package and configuration files use different file paths than the example, feel free to replace them as needed.
-**c:\\Packages\\Contoso\\MyApp.appv**
+To specify a new default set of configurations for all users who will run the package on a specific computer, in a Windows PowerShell console, enter the following cmdlet:
-**c:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml**
+```PowerShell
+Add-AppVClientPackage -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
+```
-**To Apply the Deployment Configuration File Using Windows PowerShell**
+>[!NOTE]
+>This command captures the resulting object into $pkg. If the package is already present on the computer, you can use the **Set-AppVclientPackage** cmdlet to apply the deployment configuration document:
+>
+> ```PowerShell
+> Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
+> ```
-- To specify a new default set of configurations for all users who will run the package on a specific computer, in a Windows PowerShell console, type the following:
-
- `Add-AppVClientPackage -Path c:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration c:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml`
-
- **Note**
- This command captures the resulting object into $pkg. If the package is already present on the computer, the **Set-AppVclientPackage** cmdlet can be used to apply the deployment configuration document:
-
- `Set-AppVClientPackage -Name Myapp -Path c:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration c:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml`
-
-
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
-[Operations for App-V](appv-operations.md)
+* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
index a59c999681..7f5e05afcd 100644
--- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
@@ -1,41 +1,45 @@
---
-title: How to Apply the User Configuration File by Using Windows PowerShell (Windows 10)
-description: How to Apply the User Configuration File by Using Windows PowerShell
+title: How to apply the user configuration file by using Windows PowerShell (Windows 10)
+description: How to apply the user configuration file by using Windows PowerShell (Windows 10).
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/15/2018
---
+# How to apply the user configuration file by using Windows PowerShell
+>Applies to: Windows 10, version 1607
-# How to Apply the User Configuration File by Using Windows PowerShell
+When you publish a package to a specific user, you'll also need to specify a dynamic user configuration file to tell that package how to run.
-**Applies to**
-- Windows 10, version 1607
+## Apply a user configuration file
-The dynamic user configuration file is applied when a package is published to a specific user and determines how the package will run.
+Here's how to specify a user-specific configuration file:
-Use the following procedure to specify a user-specific configuration file. The following procedure is based on the example:
+>[!NOTE]
+>The following example cmdlets use this example file path for its package:
+ >
+ >* C:\\Packages\\Contoso\\MyApp.appv.
+ >
+>If your package file uses a different file path than the example, feel free to replace it as needed.
-**c:\\Packages\\Contoso\\MyApp.appv**
+1. Enter the following cmdlet in Windows PowerShell to add the package to the computer:
-**To apply a user Configuration file**
-
-1. To add the package to the computer using the Windows PowerShell console, type the following command:
-
- `Add-AppVClientPackage c:\Packages\Contoso\MyApp.appv`
-
-2. Use the following command to publish the package to the user and specify the updated the dynamic user configuration file:
-
- `Publish-AppVClientPackage $pkg -DynamicUserConfigurationPath c:\Packages\Contoso\config.xml`
+ ```PowerShell
+ Add-AppVClientPackage C:\Packages\Contoso\MyApp.appv
+ ```
+2. Enter the following cmdlet to publish the package to the user and specify the updated the dynamic user configuration file:
+ ```PowerShell
+ Publish-AppVClientPackage $pkg -DynamicUserConfigurationPath C:\Packages\Contoso\config.xml
+ ```
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
-[Operations for App-V](appv-operations.md)
+* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md
index 1d96b18fb8..ff99b0273a 100644
--- a/windows/application-management/app-v/appv-auto-batch-updating.md
+++ b/windows/application-management/app-v/appv-auto-batch-updating.md
@@ -41,29 +41,28 @@ Updating multiple apps at the same time requires that you create a **ConfigFile*
**Example:**
```XML
-
-
- Skype for Windows Update
- D:\Install\Update\SkypeforWindows
- SkypeSetup.exe
- /S
- C:\App-V_Package\Microsoft_Apps\skypeupdate.appv
- 20
- True
- True
-
-
- Microsoft Power BI Update
- D:\Install\Update\PowerBI
- PBIDesktop.msi
- /S
- C:\App-V_Package\MS_Apps\powerbiupdate.appv
- 20
- True
- True
-
-
-
+
+
+ Skype for Windows Update
+ D:\Install\Update\SkypeforWindows
+ SkypeSetup.exe
+ /S
+ C:\App-V_Package\Microsoft_Apps\skypeupdate.appv
+ 20
+ true
+ true
+
+
+ Microsoft Power BI Update
+ D:\Install\Update\PowerBI
+ PBIDesktop.msi
+ /S
+ C:\App-V_Package\MS_Apps\powerbiupdate.appv
+ 20
+ true
+ true
+
+
```
3. Save your completed file under the name **ConfigFile**.
@@ -101,29 +100,28 @@ Updating multipe apps at the same time requires that you create a **ConfigFile**
```XML
-
-
- Skype for Windows Update
- D:\Install\Update\SkypeforWindows
- SkypeSetup.exe
- /S
- C:\App-V_Package\Microsoft_Apps\skypeupdate.appv
- 20
- False
- True
-
-
- Microsoft Power BI Update
- D:\Install\Update\PowerBI
- PBIDesktop.msi
- /S
- C:\App-V_Package\MS_Apps\powerbiupdate.appv
- 20
- False
- True
-
-
-
+
+
+ Skype for Windows Update
+ D:\Install\Update\SkypeforWindows
+ SkypeSetup.exe
+ /S
+ C:\App-V_Package\Microsoft_Apps\skypeupdate.appv
+ 20
+ false
+ true
+
+
+ Microsoft Power BI Update
+ D:\Install\Update\PowerBI
+ PBIDesktop.msi
+ /S
+ C:\App-V_Package\MS_Apps\powerbiupdate.appv
+ 20
+ false
+ true
+
+
```
### Start the App-V Sequencer interface and app installation process
@@ -157,4 +155,4 @@ There are three types of log files that occur when you sequence multiple apps at
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
\ No newline at end of file
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index 23a9fe37c6..2495e28dd7 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -1,77 +1,62 @@
---
-title: Automatically cleanup unpublished packages on the App-V client (Windows 10)
-description: How to automatically clean-up any unpublished packages on your App-V client devices.
+title: Automatically clean up unpublished packages on the App-V client (Windows 10)
+description: How to automatically clean up any unpublished packages on your App-V client devices.
author: eross-msft
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/15/2018
---
+# Automatically clean up unpublished packages on the App-V client
+>Applies to: Windows 10, version 1703
-# Automatically cleanup unpublished packages on the App-V client
+If you wanted to free up additional storage space in previous versions of App-V, you would have had to manually remove your unpublished packages from your client devices. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically clean up your unpublished packages after restarting your device.
-**Applies to**
-- Windows 10, version 1703
+## Clean up with PowerShell cmdlets
-Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up additional storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
+You can enter PowerShell cmdlets to turn on the **AutoCleanupEnabled** setting, which will automatically clean up your unpublished App-V packages from your App-V client devices.
-## Cleanup by using PowerShell commands
-Using PowerShell, you can turn on the **AutoCleanupEnabled** setting to automatically cleanup your unpublished App-V packages from your App-V client devices.
+### Turn on the AutoCleanupEnabled option
-**To turn on the AutoCleanupEnabled option**
+1. Open PowerShell as an admin and enter the following cmdlet to turn on the automatic package cleanup functionality:
-1. Open PowerShell as an admin and run the following command to turn on the automatic package cleanup functionality:
-
- ```ps1
+ ```PowerShell
Set-AppvClientConfiguration -AutoCleanupEnabled 1
```
- The command runs and you should see the following info on the PowerShell screen:
-
-
-
-
- | Name |
- Value |
- SetbyGroupPolicy |
-
-
-
-
- | AutoCleanupEnabled |
- 1 |
- False |
-
-
-
+ After running the cmdlet, you should see the following info on the PowerShell screen:
-2. Run the following command to make sure the configuration is ready to automatically cleanup your packages.
+ |Name|Value|SetbyGroupPolicy|
+ |---|---|---|
+ |AutoCleanupEnabled|1|False|
- ```ps1
+1. Run the following cmdlet to check if the configuration has the cleanup setting turned on.
+
+ ```PowerShell
Get-AppvClientConfiguration
```
- You should see the **AutoCleanupEnabled** option turned on (shows a value of "1") in the configuration list.
+ If the **AutoCleanupEnabled** option shows a value of **1** in the configuration list, that means the setting is turned on.
-## Cleanup by using Group Policy settings
-Using Group Policy, you can turn on the **Enable automatic cleanup of unused appv packages** setting to automatically cleanup your unpublished App-V packages from your App-V client devices.
+## Clean up with Group Policy settings
-**To turn on the Enable automatic cleanup of unused appv packages setting**
+Using Group Policy, you can turn on the **Enable automatic cleanup of unused App-V packages** setting to automatically clean up your unpublished App-V packages from your App-V client devices.
-1. Open your Group Policy editor and double-click the Administrative Templates\System\App-V\PackageManagement\Enable automatic cleanup of unused appv packages setting.
+### Turn on the Enable automatic cleanup of unused App-V packages setting
-2. Click **Enabled**, and then click **OK**.
+1. Open your Group Policy editor and select the **Administrative Templates\System\App-V\PackageManagement\Enable automatic cleanup of unused App-V packages** setting.
- After your Group Policy updates, the setting is turned on and will cleanup any unpublished App-V packages on the App-V Client after restarting.
+2. Select **Enabled**, then select **OK**.
+
+ After your Group Policy updates and you reset the client, the setting will clean up any unpublished App-V packages on the App-V client.
+
+## Have a suggestion for App-V?
+
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
+
+## Related topics
-### Related topics
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
-
- [Download the Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/en-us/download/details.aspx?id=41186)
-
-- [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
-
-
-**Have a suggestion for App-V?**
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
\ No newline at end of file
+- [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 7d050134a8..d890609518 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -6,207 +6,26 @@ ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/15/2018
---
-
# Available Mobile Device Management (MDM) settings for App-V
-With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps by using these Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page.
-
-
- | Policy name |
- Supported versions |
- Details |
-
-
- | Name |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Name
- - Data type. String
- - Value. Read-only data, provided by your App-V packages.
-
- |
-
-
- | Version |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Version
- - Data type. String
- - Value. Read-only data, provided by your App-V packages.
-
- |
-
-
- | Publisher |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Publisher
- - Data type. String
- - Value. Read-only data, provided by your App-V packages.
-
- |
-
-
- | InstallLocation |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/InstallLocation
- - Data type. String
- - Value. Read-only data, provided by your App-V packages.
-
- |
-
-
- | InstallDate |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/InstallDate
- - Data type. String
- - Value. Read-only data, provided by your App-V packages.
-
- |
-
-
- | Users |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Users
- - Data type. String
- - Value. Read-only data, provided by your App-V packages.
-
- |
-
-
- | AppVPackageID |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageID
- - Data type. String
- - Value. Read-only data, provided by your App-V packages.
-
- |
-
-
- | AppVVersionID |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVVersionID
- - Data type. String
- - Value. Read-only data, provided by your App-V packages.
-
- |
-
-
- | AppVPackageUri |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageUri
- - Data type. String
- - Value. Read-only data, provided by your App-V packages.
-
- |
-
-
- | LastError |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastError
- - Data type. String
- - Value. Read-only data, provided by your App-V client.
-
- |
-
-
- | LastErrorDescription |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastErrorDescription
- - Data type. String
- - Values.
-
- - 0. No errors returned during publish.
- - 1. Unpublish groups failed during publish.
- - 2. Publish no-group packages failed during publish.
- - 3. Publish group packages failed during publish.
- - 4. Unpublish packages failed during publish.
- - 5. New policy write failed during publish.
- - 6. Multiple non-fatal errors occurred during publish.
-
-
-
- |
-
-
- | SyncStatusDescription |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncStatusDescription
- - Data type. String
- - Values.
-
- - 0. App-V publishing is idle.
- - 1. App-V connection groups publish in progress.
- - 2. App-V packages (non-connection group) publish in progress.
- - 3. App-V packages (connection group) publish in progress.
- - 4. App-V packages unpublish in progress.
-
-
-
- |
-
-
- | SyncProgress |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncProgress
- - Data type. String
- - Values.
-
- - 0. App-V Sync is idle.
- - 1. App-V Sync is initializing.
- - 2. App-V Sync is in progress.
- - 3. App-V Sync is complete.
- - 4. App-V Sync requires device reboot.
-
-
-
- |
-
-
- | PublishXML |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML
- - Data type. String
- - Value. Custom value, entered by admin.
-
- |
-
-
- | Policy |
- Windows 10, version 1703 |
-
-
- - URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/configurationid/Policy
- - Data type. String
- - Value. Custom value, entered by admin.
-
- |
-
-
\ No newline at end of file
+With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page.
+
+|Policy name|Supported versions|URI full path|Data type|Values|
+|---|---|---|---|---|
+|Name|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Name|String|Read-only data, provided by your App-V packages.|
+|Version|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Version|String|Read-only data, provided by your App-V packages.|
+|Publisher|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Publisher|String|Read-only data, provided by your App-V packages.|
+|InstallLocation|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallLocation|String|Read-only data, provided by your App-V packages.|
+|InstallDate|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallDate|String|Read-only data, provided by your App-V packages.|
+|Users|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Users|String|Read-only data, provided by your App-V packages.|
+|AppVPackageID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageID|String|Read-only data, provided by your App-V packages.|
+|AppVVersionID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVVersionID|String|Read-only data, provided by your App-V packages.|
+|AppVPackageUri|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageUri|String|Read-only data, provided by your App-V packages.|
+|LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/LastSync/LastError|String|Read-only data, provided by your App-V packages.|
+|LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.
- **1**: Unpublish groups failed during publish.
- **2**: Publish no-group packages failed during publish.
- **3**: Publish group packages failed during publish.
- **4**: Unpublish packages failed during publish.
- **5**: New policy write failed during publish.
- **6**: Multiple non-fatal errors occurred during publish.|
+|SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.
- **1**: App-V connection groups publish in progress.
- **2**: App-V packages (non-connection group) publish in progress.
- **3**: App-V packages (connection group) publish in progress.
- **4**: App-V packages unpublish in progress.|
+|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.
- **1**: App-V Sync is initializing.
- **2**: App-V Sync is in progress.
- **3**: App-V Sync is complete.
- **4**: App-V Sync requires device reboot.|
+|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.|
+|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.|
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
index 58b23dd73f..3423d1c211 100644
--- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
@@ -1,67 +1,60 @@
---
-title: How to Configure Access to Packages by Using the Management Console (Windows 10)
-description: How to Configure Access to Packages by Using the Management Console
+title: How to configure access to packages by using the Management Console (Windows 10)
+description: How to configure access to packages by using the App-V Management Console.
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/18/2018
---
+# How to configure access to packages by using the Management Console
-
-# How to Configure Access to Packages by Using the Management Console
-
-**Applies to**
-- Windows 10, version 1607
+>Applies to: Windows 10, version 1607
Before you deploy an App-V virtualized package, you must configure the Active Directory Domain Services (AD DS) security groups that will be allowed to access and run the applications. The security groups may contain computers or users. Entitling a package to a computer group publishes the package globally to all computers in the group.
Use the following procedure to configure access to virtualized packages.
-**To grant access to an App-V package**
+## Grant access to an App-V package
-1. Find the package you want to configure:
+1. Find the package you want to configure:
- 1. Open the App-V Management console.
+ 1. Open the App-V Management console.
- 2. To display the **AD ACCESS** page, right-click the package to be configured, and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane.
+ 1. Right-click the package to be configured, then select **Edit active directory access** to display the **AD Access** page. Alternatively, select the package and select **Edit** in the **AD Access** pane.
-2. Provision a security group for the package:
+2. Provision a security group for the package:
- 1. Go to the **FIND VALID ACTIVE DIRECTORY NAMES AND GRANT ACCESS** page.
+ 1. Go to the **Find valid Active Directory names and grant access** page.
- 2. Using the format **mydomain** \\ **groupname**, type the name or part of the name of an Active Directory group object, and click **Check**.
+ 1. Using the format **mydomain** \\ **groupname**, enter the name or part of the name of an Active Directory group object, then select **Check**.
- **Note**
- Ensure that you provide an associated domain name for the group that you are searching for.
+ >[!NOTE]
+ >Ensure that you provide an associated domain name for the group that you are searching for.
-
+3. Grant access to the package by first selecting the desired group, then selecting **Grant Access**. The newly added group is displayed in the **AD entities with access** pane.
-3. To grant access to the package, select the desired group and click **Grant Access**. The newly added group is displayed in the **AD ENTITIES WITH ACCESS** pane.
+4. Select **Close** to accept the default configuration settings and close the AD Access page.
-4.
+ To customize configurations for a specific group, select the **Assigned configurations** drop-down menu, then select **Custom**. To make changes to your custom configurations, select **Edit**. After you grant access, select **Close**.
- To accept the default configuration settings and close the **AD ACCESS** page, click **Close**.
+## Remove access to an App-V package
- To customize configurations for a specific group, click the **ASSIGNED CONFIGURATIONS** drop-down and select **Custom**. To configure the custom configurations, click **EDIT**. After you grant access, click **Close**.
+1. Find the package you want to configure:
-**To remove access to an App-V package**
+ 1. Open the App-V Management console.
-1. Find the package you want to configure:
+ 1. To display the **AD Access** page, right-click the package to be configured, then select **Edit active directory access**. Alternatively, select the package, then select **Edit** in the **AD Access** pane.
- 1. Open the App-V Management console.
+2. Select the group you want to remove, then select **Delete**.
- 2. To display the **AD ACCESS** page, right-click the package to be configured, and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane.
-
-2. Select the group you want to remove, and click **DELETE**.
-
-3. To close the **AD ACCESS** page, click **Close**.
+3. Select **Close**.
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
-[Operations for App-V](appv-operations.md)
+* [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
index 06b310e729..8c896d56e2 100644
--- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
+++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
@@ -1,64 +1,65 @@
---
-title: How to Make a Connection Group Ignore the Package Version (Windows 10)
-description: How to Make a Connection Group Ignore the Package Version
+title: How to make a connection group ignore the package version (Windows 10)
+description: How to make a connection group ignore the package version.
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 06/18/2018
---
+# How to make a connection group ignore the package version
+> Applies to: Windows 10, version 1607
-# How to Make a Connection Group Ignore the Package Version
+You can use Application Virtualization (App-V) to configure a connection group to use any version of a package, simplifying package upgrades and reducing the number of connection groups you need to create.
-**Applies to**
-- Windows 10, version 1607
+You can also configure a connection group to accept any version of a package, so that you can upgrade the package without having to disable the connection group.
-Application Virtualization (App-V) lets you configure a connection group to use any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.
+- If the connection group has access to multiple versions of a package, App-V will use the latest version.
-You can configure a connection group to accept any version of a package, which enables you to upgrade the package without having to disable the connection group:
+- If the connection group contains an optional package with an incorrect version, App-V ignores the package and won’t block the connection group’s virtual environment from being created.
-- If the connection group has access to multiple versions of a package, the latest version is used.
+- If the connection group contains a non-optional package that has an incorrect version, App-V won't be able to create the connection group’s virtual environment.
-- If the connection group contains an optional package that has an incorrect version, the package is ignored and won’t block the connection group’s virtual environment from being created.
+## Make a connection group ignore the package version with the App-V Server Management Console
-- If the connection group contains a non-optional package that has an incorrect version, the connection group’s virtual environment cannot be created.
-
-## To make a connection group ignore the package version by using the App-V Server Management Console
-
-1. In the Management Console, select **CONNECTION GROUPS**.
+1. In the Management Console, select **Connection Groups**.
2. Select the correct connection group from the Connection Groups library.
-3. Click **EDIT** in the CONNECTED PACKAGES pane.
+3. Select **Edit** in the Connected Packages pane.
-4. Select **Use Any Version** check box next to the package name, and click **Apply**.
+4. Select the **Use Any Version** check box next to the package name, then select **Apply**.
-For more about adding or upgrading packages, see [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md).
+For more about adding or upgrading packages, see [How to add or upgrade packages by using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md).
-## To make a connection group ignore the package version from the App-V client on a stand-alone computer
+## Make a connection group ignore the package version from the App-V client on a stand-alone computer
1. Create the connection group XML document.
-2. For the package to be upgraded, set the **Package** tag attribute **VersionID** to an asterisk (*).
+2. Set the **Package** tag attribute **VersionID** to an asterisk (*) to upgrade the package.
-3. Use the following cmdlet to add the connection group, and include the path to the connection group XML document:
+3. Enter the following cmdlet (including the path to the connection group XML document) to add the connection group:
+
+ ```PowerShell
+ Add-AppvClientConnectionGroup
+ ```
+
+ For more information about how to use the **Add-AppvClientConnectionGroup** cmdlet, see [**Add-AppvClientConnectionGroup**](https://docs.microsoft.com/en-us/powershell/module/appvclient/add-appvclientconnectiongroup?view=win10-ps).
- `Add-AppvClientConnectionGroup`
-
4. When you upgrade a package, use the following cmdlets to remove the old package, add the upgraded package, and publish the upgraded package:
- - RemoveAppvClientPackage
- - Add-AppvClientPackage
- - Publish-AppvClientPackage
+ - [**Remove-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/remove-appvclientpackage?view=win10-ps)
+ - [**Add-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/add-appvclientpackage?view=win10-ps)
+ - [**Publish-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/publish-appvclientpackage?view=win10-ps)
-For more information, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md).
+For more information, see [How to manage App-V packages running on a stand-alone computer by using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md).
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
-[Managing Connection Groups](appv-managing-connection-groups.md)
+- [Managing connection groups](appv-managing-connection-groups.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 403a5e2cb4..921e2c246d 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -2048,12 +2048,18 @@ The following diagram shows the Policy configuration service provider in tree fo
LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
+
+ LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways
+
LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
+
+ LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
@@ -2075,6 +2081,9 @@ The following diagram shows the Policy configuration service provider in tree fo
LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
+
+ LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
+
LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
@@ -2084,6 +2093,9 @@ The following diagram shows the Policy configuration service provider in tree fo
LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
+
+ LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
+
LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
@@ -4407,17 +4419,21 @@ The following diagram shows the Policy configuration service provider in tree fo
- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon)
- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon)
- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees)
- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts)
- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares)
- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares)
- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm)
- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests)
- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange)
- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients)
- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers)
- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication)
- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic)
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 519bdfeb1f..1fb3b009d6 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -236,14 +236,14 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. This policy allows the IT admin to block users on these managed devices from using Quick Pair and other proximity based scenarios.
+Added in Windows 10, version 1803. This policy allows the IT admin to block users on these managed devices from using Swift Pair and other proximity based scenarios.
The following list shows the supported values:
-- 0 - Disallow. Block users on these managed devices from using Quick Pair and other proximity based scenarios
-- 1 - Allow. Allow users on these managed devices to use Quick Pair and other proximity based scenarios
+- 0 - Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios
+- 1 - Allow. Allow users on these managed devices to use Swift Pair and other proximity based scenarios
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 49a48f512a..ce338ff2ae 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -6,11 +6,14 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 04/06/2018
+ms.date: 06/05/2018
---
# Policy CSP - LocalPoliciesSecurityOptions
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
@@ -81,12 +84,18 @@ ms.date: 04/06/2018
LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
+
+ LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways
+
LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
+
+ LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
@@ -108,6 +117,9 @@ ms.date: 04/06/2018
LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
+
+ LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
+
LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
@@ -117,6 +129,9 @@ ms.date: 04/06/2018
LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
+
+ LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
+
LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
@@ -838,15 +853,6 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
-
-
-
-
-
-
-
@@ -914,15 +920,6 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
-
-
-
-
-
-
-
@@ -985,15 +982,6 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
-
-
-
-
-
-
-
@@ -1495,6 +1483,83 @@ GP Info:
+
+**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+  |
+  5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Microsoft network client: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB client component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
+
+If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
+
+Default: Disabled.
+
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+GP Info:
+- GP English name: *Microsoft network client: Digitally sign communications (always)*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees**
@@ -1618,6 +1683,72 @@ GP Info:
+
+**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Microsoft network server: Amount of idle time required before suspending a session
+
+This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
+
+Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
+
+For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
+
+Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+
+
+GP Info:
+- GP English name: *Microsoft network server: Amount of idle time required before suspending session*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways**
@@ -2051,6 +2182,78 @@ GP Info:
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Network security: Allow Local System to use computer identity for NTLM
+
+This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.
+
+If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.
+
+If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.
+
+By default, this policy is enabled on Windows 7 and above.
+
+By default, this policy is disabled on Windows Vista.
+
+This policy is supported on at least Windows Vista or Windows Server 2008.
+
+Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.
+
+
+
+GP Info:
+- GP English name: *Network security: Allow Local System to use computer identity for NTLM*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
@@ -2246,6 +2449,75 @@ GP Info:
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+
+This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
+Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+GP Info:
+- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers**
@@ -2359,15 +2631,6 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
-
-
-
-
-
-
-
@@ -2429,15 +2692,6 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
-
-
-
-
-
-
-
@@ -2499,15 +2753,6 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
-
-
-
-
-
-
-
@@ -2569,15 +2814,6 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
-
-
-
-
-
-
-
@@ -3406,6 +3642,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in the next major release of Windows 10.
diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md
index e6ed98d713..0fe52da790 100644
--- a/windows/client-management/mdm/supl-ddf-file.md
+++ b/windows/client-management/mdm/supl-ddf-file.md
@@ -171,7 +171,7 @@ The XML below is the current version for this CSP.
- MCCMNPairs
+ MCCMNCPairs
@@ -477,7 +477,202 @@ The XML below is the current version for this CSP.
+
+
+
+ RootCertificate4
+
+
+
+
+ Specifies the root certificate for the H-SLP server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+
+ Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ Data
+
+
+
+
+
+ The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RootCertificate5
+
+
+
+
+ Specifies the root certificate for the H-SLP server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+
+ Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Data
+
+
+
+
+
+ The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RootCertificate6
+
+
+
+
+ Specifies the root certificate for the H-SLP server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Name
+
+
+
+
+
+ Specifies the name of the H-SLP root certificate as a string, in the format name.cer.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Data
+
+
+
+
+
+ The base 64 encoded blob of the H-SLP root certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 12baa5bed8..a45bae0f51 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -91,9 +91,9 @@ When you have the Start layout that you want your users to see, use the [Export-
**To export the Start layout to an .xml file**
-1. Right Click Start, select **Windows PowerShell (Admin)**.
+1. While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**.
-2. At the Administrator: Windows PowerShell command prompt, enter the following command:
+2. At the Windows PowerShell command prompt, enter the following command:
`Export-StartLayout –path .xml `
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 7610e6fe75..34225059f4 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -52,7 +52,7 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
12. Enter a friendly name for the configuration.
10. In **Kiosk Mode**, select **Multi app kiosk**.
13. Select an app type.
- - For **Add Win32 app**, enter the **App Name** and **Identifier**.
+ - For **Add Win32 app**, enter a friendly name for the app in **App Name**, and enter the path to the app executable in **Identifier**.
- For **Add managed apps**, select an app that you manage through Intune.
- For **Add app by AUMID**, enter the Application User Model ID (AUMID) for an installed UWP app.
14. Select whether to enable the taskbar.
@@ -61,7 +61,8 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
17. Select **OK**. You can add additional configurations or finish.
18. Assign the profile to a device group to configure the devices in that group as kiosks.
-
+>[!NOTE]
+>Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription.
diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md
index 36581a3438..a2442ee9fb 100644
--- a/windows/configuration/setup-kiosk-digital-signage.md
+++ b/windows/configuration/setup-kiosk-digital-signage.md
@@ -270,7 +270,9 @@ The following steps explain how to configure a kiosk in Microsoft Intune. For ot
7. Select **Windows 10 and later** for the platform.
8. Select **Kiosk (Preview)** for the profile type.
9. Enter a friendly name for the kiosk configuration.
-10. In **Kiosk Mode**, select **Single full-screen app kiosk**.
+10. Select **Kiosk - 1 setting available**.
+10. Select **Add** to add a kiosk configuration.
+10. Enter a friendly name for the kiosk configuration, and then in **Kiosk Mode**, select **Single full-screen app kiosk**.
10. Select either **Select a managed app** to choose a kiosk app that is managed by Intune, or **Enter UWP app AUMID** to specify the kiosk app by AUMID, and then select the app or enter the AUMID as appropriate.
1. For the user account, select either **Autologon** to create a user account for the kiosk that will sign in automatically, or **Local user account** to configure an existing user account to run the kiosk. **Local user account** can be a local standard user account on the device or an Azure Active Directory account.
14. Select **OK**, and then select **Create**.
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index 58bb51fd67..82f903e308 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -30,6 +30,8 @@ Organizations might want to deploy a customized Start and taskbar configuration
>Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703.
>
>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx).
+>
+>Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md
index 81a57be6d4..5b3a7b3474 100644
--- a/windows/deployment/update/device-health-get-started.md
+++ b/windows/deployment/update/device-health-get-started.md
@@ -5,7 +5,7 @@ keywords: Device Health, oms, operations management suite, prerequisites, requir
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.date: 03/20/2018
+ms.date: 06/12/2018
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
@@ -24,13 +24,16 @@ Steps are provided in sections that follow the recommended setup process:
-## Add Device Health to Microsoft Operations Management Suite
+## Add Device Health to Microsoft Operations Management Suite or Azure Log Analytics
-Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
-**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
+**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. Find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
-**If you are not yet using Windows Analytics or Azure Log Analytics**, use the following steps to subscribe:
+>[!NOTE]
+>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=DeviceHealthProd) to go directly to the Device Health solution and add it to your workspace.
+
+**If you are not yet using Windows Analytics or Azure Log Analytics**, follow these steps to subscribe:
1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
[](images/uc-02.png)
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 6cfecd1c73..9d1b01ce0f 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -23,12 +23,16 @@ Steps are provided in sections that follow the recommended setup process:
-## Add Update Compliance to Microsoft Operations Management Suite
+## Add Update Compliance to Microsoft Operations Management Suite or Azure Log Analytics
-Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
If you are already using OMS, skip to step **6** to add Update Compliance to your workspace.
+>[!NOTE]
+>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Update Compliance solution and add it to your workspace.
+
+
If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
index c28763cabf..774f54ce73 100644
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -229,7 +229,7 @@ The deployment script displays the following exit codes to let you know if it wa
| 32 - Appraiser version on the machine is outdated. |
- The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for Windows 7 SP1/Windows 8.1. |
+ The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1. |
| 33 - **CompatTelRunner.exe** exited with an exit code |
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index e80d01d273..2972c0ff9c 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
-ms.date: 03/20/2018
+ms.date: 06/12/2018
ms.localizationpriority: high
---
@@ -35,7 +35,7 @@ When you are ready to begin using Upgrade Readiness, perform the following steps
To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information.
-## Add Upgrade Readiness to Operations Management Suite
+## Add Upgrade Readiness to Operations Management Suite or Azure Log Analytics
Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
@@ -44,11 +44,14 @@ Upgrade Readiness is offered as a solution in the Microsoft Operations Managemen
If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
-If you are not using OMS:
+>[!NOTE]
+>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=CompatibilityAssessment) to go directly to the Upgrade Readiness solution and add it to your workspace.
-1. Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and select **New Customers >** to start the process.
-2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
-3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
+If you are not using OMS or Azure Log Analytics:
+
+1. Go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it.
+2. Sign in to Operations Management Suite (OMS) or Azure Log Analytics. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+3. Create a new workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
> If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md
index 21dfb741d1..7695e28a28 100644
--- a/windows/deployment/upgrade/upgrade-readiness-requirements.md
+++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md
@@ -5,7 +5,7 @@ keywords: windows analytics, oms, operations management suite, prerequisites, re
ms.prod: w10
author: jaimeo
ms.author:
-ms.date: 03/15/2018
+ms.date: 06/12/2018
ms.localizationpriority: high
---
@@ -21,7 +21,7 @@ To perform an in-place upgrade, user computers must be running the latest versio
The compatibility update that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
-
+
If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center.
@@ -32,19 +32,20 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1
### Windows 10
Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates.
-The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com).
+The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com).
While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC.
-## Operations Management Suite
+## Operations Management Suite or Azure Log Analytics
-Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
-If you’re already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Click the Upgrade Readiness tile in the gallery and then click Add on the solution’s details page. Upgrade Readiness is now visible in your workspace.
+If you’re already using OMS or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. You can also
-If you are not using OMS, go to the [Upgrade Readiness page](https://www.microsoft.com/en-us/windowsforbusiness/simplified-updates) on Microsoft.com and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Readiness solution to it.
+If you are not using OMS or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it.
-Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions.
+>[!IMPORTANT]
+>You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions.
## System Center Configuration Manager integration
diff --git a/windows/deployment/upgrade/windows-10-downgrade-paths.md b/windows/deployment/upgrade/windows-10-downgrade-paths.md
index 4422179d21..3fc6d13445 100644
--- a/windows/deployment/upgrade/windows-10-downgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-downgrade-paths.md
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.localizationpriority: high
ms.pagetype: mobile
author: greg-lindsay
-ms.date: 06/07/2018
+ms.date: 06/15/2018
---
# Windows 10 downgrade paths
@@ -77,9 +77,9 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a
| Pro for Workstations |
|
- ✔ |
|
- ✔ |
+ |
+ |
|
|
|
diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-endpoints.md
index d0be3c4145..ba3adcb3c4 100644
--- a/windows/privacy/manage-windows-endpoints.md
+++ b/windows/privacy/manage-windows-endpoints.md
@@ -34,7 +34,7 @@ We used the following methodology to derive these network endpoints:
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
-5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
+5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
@@ -502,8 +502,7 @@ In addition to the endpoints listed for Windows 10 Enterprise, the following end
| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
-| *prod.do.dsp.mp.microsoft.com | TLSv1.2/
-HTTPS | Used for Windows Update downloads of apps and OS updates. |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
@@ -530,8 +529,7 @@ HTTPS | Used for Windows Update downloads of apps and OS updates. |
| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2/
-HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. |
@@ -553,11 +551,9 @@ HTTPS | Enables connections to Windows Update, Microsoft Update, and the online
| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| ris.api.iris.microsoft.com.akadns.net | TLSv1.2/
-HTTPS | Used to retrieve Windows Spotlight metadata. |
+| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. |
| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
-| sls.update.microsoft.com.nsatc.net | TLSv1.2/
-HTTPS | Enables connections to Windows Update. |
+| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. |
| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. |
| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
@@ -579,8 +575,7 @@ HTTPS | Enables connections to Windows Update. |
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.*.akamai.net | HTTP | Used to download content. |
-| *.*.akamaiedge.net | HTTP/
-TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
+| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. |
| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
@@ -594,8 +589,7 @@ TLSv1.2 | Used to check for updates to maps that have been downloaded for offlin
| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
-| *prod.do.dsp.mp.microsoft.com | TLSv1.2/
-HTTPS | Used for Windows Update downloads of apps and OS updates. |
+| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
@@ -620,8 +614,7 @@ HTTPS | Used for Windows Update downloads of apps and OS updates. |
| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. |
| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2/
-HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
+| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
@@ -706,8 +699,7 @@ HTTPS | Enables connections to Windows Update, Microsoft Update, and the online
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| g.msn.com.nsatc.net | HTTP/
-TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
+| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. |
| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 0e81b79e6d..7d32f96c99 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -28,7 +28,7 @@ For Windows Defender Credential Guard to provide protection, the computers you a
To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
- Support for Virtualization-based security (required)
- Secure boot (required)
-- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
+- TPM 1.2 or 2.0, either discrete or firmware (preferred - provides binding to hardware)
- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
The Virtualization-based security requires:
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index d68c571a53..06c5e2b538 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -64,7 +64,7 @@ A TPM virtual smart card simulates a physical smart card, and it uses the TPM to
- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
- For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+ For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using Tpmvscmgr.exe to create cards individually on users’ computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee’s possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer.
@@ -261,7 +261,9 @@ The most common scenario in an organization is reissuing virtual smart cards, wh
#### Blocked virtual smart card
-The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
+The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card and change the PIN. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
+
+For more information about setting the Allow Integrated Unblock policy, see [Allow Integrated Unblock screen to be displayed at the time of logon](https://docs.microsoft.com/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon).
## See also
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 7ed9c2166c..0b99703f80 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 06/18/2018
---
# BitLocker: How to enable Network Unlock
@@ -83,7 +83,7 @@ The server side configuration to enable Network Unlock also requires provisionin
The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
-### Step One: Install the WDS Server role
+### Install the WDS Server role
The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager.
@@ -95,7 +95,7 @@ Install-WindowsFeature WDS-Deployment
You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
-### Step Two: Confirm the WDS Service is running
+### Confirm the WDS Service is running
To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service.
@@ -104,7 +104,7 @@ To confirm the service is running using Windows PowerShell, use the following co
``` syntax
Get-Service WDSServer
```
-### Step Three: Install the Network Unlock feature
+### Install the Network Unlock feature
To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
@@ -113,7 +113,37 @@ To install the feature using Windows PowerShell, use the following command:
``` syntax
Install-WindowsFeature BitLocker-NetworkUnlock
```
-### Step Four: Create the Network Unlock certificate
+### Create the certificate template for Network Unlock
+
+A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates.
+
+1. Open the Certificates Template snap-in (certtmpl.msc).
+2. Locate the User template. Right-click the template name and select **Duplicate Template**.
+3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8 respectively. Ensure the **Show resulting changes** dialog box is selected.
+4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
+5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
+6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility we recommend using the **Microsoft Software Key Storage Provider**.)
+7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as the **Microsoft Software Key Storage Provider**.
+8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears.
+9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
+10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**.
+11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
+12. On the **Edit Application Policies Extension** dialog box, select **Add**.
+13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
+
+ - **Name:** **BitLocker Network Unlock**
+ - **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
+
+14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
+15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
+16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
+17. Select **OK** to complete configuration of the template.
+
+To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
+
+After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
+
+### Create the Network Unlock certificate
Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate.
@@ -184,7 +214,7 @@ Certreq example:
5. Launch Certificates - Local Machine by running **certlm.msc**.
6. Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
-### Step Five: Deploy the private key and certificate to the WDS server
+### Deploy the private key and certificate to the WDS server
With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
@@ -193,7 +223,7 @@ With the certificate and key created, deploy them to the infrastructure to prope
3. In the **File to Import** dialog, choose the .pfx file created previously.
4. Enter the password used to create the .pfx and complete the wizard.
-### Step Six: Configure Group Policy settings for Network Unlock
+### Configure Group Policy settings for Network Unlock
With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
@@ -218,7 +248,7 @@ The following steps describe how to deploy the required Group Policy setting:
>**Note:** Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
-### Step Seven: Require TPM+PIN protectors at startup
+### Require TPM+PIN protectors at startup
An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following:
@@ -226,36 +256,6 @@ An additional step is for enterprises to use TPM+PIN protectors for an extra lev
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
-### Create the certificate template for Network Unlock
-
-The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates.
-
-1. Open the Certificates Template snap-in (certtmpl.msc).
-2. Locate the User template. Right-click the template name and select **Duplicate Template**.
-3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8 respectively. Ensure the **Show resulting changes** dialog box is selected.
-4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
-5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
-6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility we recommend using the **Microsoft Software Key Storage Provider**.)
-7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as the **Microsoft Software Key Storage Provider**.
-8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears.
-9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
-10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**.
-11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
-12. On the **Edit Application Policies Extension** dialog box, select **Add**.
-13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
-
- - **Name:** **BitLocker Network Unlock**
- - **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
-
-14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
-15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
-16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
-17. Select **OK** to complete configuration of the template.
-
-To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
-
-After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
-
### Subnet policy configuration files on WDS Server (Optional)
By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock.
@@ -285,13 +285,13 @@ The subnet policy configuration file must use a “\[SUBNETS\]” section to ide
To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED".
-### Turning off Network Unlock
+## Turning off Network Unlock
To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
>**Note:** Removing the FVENKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
-### Update Network Unlock certificates
+## Update Network Unlock certificates
To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index 37b3f8e0ef..2cccdefa60 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -18,12 +18,11 @@ ms.date: 10/16/2017
This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
-##
+## BitLocker overview
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
-BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been
-tampered with while the system was offline.
+BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
index db335bddd1..6aac433261 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
-ms.date: 05/03/2018
+ms.date: 06/12/2018
---
# BitLocker Security FAQ
@@ -27,7 +27,7 @@ The recommended practice for BitLocker configuration on an operating system driv
## What are the implications of using the sleep or hibernate power management options?
-BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method.
+BitLocker on operating system drives in its basic configuration (with a TPM but without additional startup authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an additional startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. For improved security, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol1arequire-additional-authentication-at-startup) or Mobile Device Management with the [Bitlocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp).
## What are the advantages of a TPM?
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 6d409e7449..47d5189976 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -71,7 +71,7 @@ Passive mode | Windows Defender AV will not be used as the antivirus app, and th
Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]]
Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
+If you are enrolled in Windows Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index 4bf7c5ff89..1d9c033045 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -18,6 +18,7 @@
### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md)
+### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
index 58bfcf7ebb..3330eda208 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
-ms.date: 09/21/2017
+ms.date: 06/08/2018
---
# Configure an AppLocker policy for audit only
@@ -21,8 +21,6 @@ This topic for IT professionals describes how to set AppLocker policies to **Aud
After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only**.
When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
-
->**Note:** There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production. To enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md).
You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index ae37d52989..0dbc282f16 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
author: jsuther1974
-ms.date: 06/08/2018
+ms.date: 06/14/2018
---
# Microsoft recommended block rules
@@ -384,7 +384,278 @@ Microsoft recommends that you block the following Microsoft-signed applications
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+