Merge branch 'master' into App-v-revision

.openpublishing.redirection.json

@@ -1,5 +1,11 @@
 {
 "redirections": [
+
+{
+"source_path": "windows/deployment/update/windows-update-sources.md",
+"redirect_url": "/windows/deployment/update/how-windows-update-works",
+"redirect_document_id": true
+},
 {
 "source_path": "windows/security/threat-protection/intelligence/av-tests.md",
 "redirect_url": "/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests",
@@ -6856,6 +6862,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/configuration/start-taskbar-lockscreen.md",
+"redirect_url": "/windows/configuration/windows-10-start-layout-options-and-policies",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/configure/stop-employees-from-using-the-windows-store.md",
 "redirect_url": "/windows/configuration/stop-employees-from-using-the-windows-store",
 "redirect_document_id": true

devices/surface-hub/index.md

@@ -54,6 +54,7 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof
 ## Additional resources
 
 - [Surface Hub update history](https://support.microsoft.com/help/4037666/surface-surface-hub-update-history)
+- [Surface Hub help](https://support.microsoft.com/hub/4343507/surface-hub-help)
 - [Surface IT Pro Blog](https://blogs.technet.microsoft.com/surface/)
 - [Surface Playlist of videos](https://www.youtube.com/playlist?list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ)
 - [Microsoft Surface on Twitter](https://twitter.com/surface)

windows/application-management/msix-app-packaging-tool.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: mikeblodge
 ms.topic: article
-ms.date: 08/01/2018
+ms.date: 09/21/2018
 ---
 
 # Repackage existing win32 applications to the MSIX format
@@ -23,6 +23,13 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft
 - A valid MSA alias (to access the app from the Store) 
 
 ## What's new
+v1.2018.915.0
+- Updated UI to improve clarity and experience
+- Ability to generate a template file for use with a command line
+- Ability to add/remove entry points
+- Ability to sign your package from package editor
+- File extension handling
+
 v1.2018.821.0
 - Command Line Support
 - Ability to use existing local virtual machines for packaging environment.
@@ -147,7 +154,9 @@ Requirements:
         DisableWindowsUpdateService ="true"/>
     <!--Note: this section takes precedence over the Settings::ApplyAllPrepareComputerFixes attribute -->
 
-    <SaveLocation Path="C:\users\user\Desktop" />
+    <SaveLocation
+    PackagePath="C:\users\user\Desktop\MyPackage.msix" 
+    TemplatePath="C:\users\user\Desktop\MyTemplate.xml" />
 
     <Installer
         Path="C:\MyAppInstaller.msi"
@@ -201,7 +210,8 @@ Here is the complete list of parameters that you can use in the Conversion templ
 |PrepareComputer:: DisableSmsHostService     |[optional] Disables SMS Host while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
 |PrepareComputer:: DisableWindowsUpdateService     |[optional] Disables Windows Update while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
 |SaveLocation     |[optional] An element to specify the save location of the tool. If not specified, the package will be saved under the Desktop folder.         |
-|SaveLocation::Path     |The path to the folder where the resulting MSIX package is saved.         |
+|SaveLocation::PackagePath     |[optional] The path to the file or folder where the resulting MSIX package is saved.         |
+|SaveLocation::TemplatePath    |[optional] The path to the file or folder where the resulting CLI template is saved.    |
 |Installer::Path     |The path to the application installer.         |
 |Installer::Arguments     |The arguments to pass to the installer. You must pass the arguments to force your installer to run unattended/silently. If the installer is an msi or appv, pass an empty argument ie Installer=””.        |
 |Installer::InstallLocation     |[optional] The full path to your application's root folder for the installed files if it were installed (e.g. "C:\Program Files (x86)\MyAppInstalllocation").         |

windows/client-management/connect-to-remote-aadj-pc.md

@@ -33,11 +33,11 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
 
    ![Allow remote connections to this computer](images/allow-rdp.png)
 
-  3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
+  3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**. 
   >[!NOTE]
   >You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet:
   >
-  >`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"`
+  >`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD.
   >
   >In Windows 10, version 1709, the user does not have to sign in to the remote device first.
   >

windows/client-management/mdm/assignedaccess-csp.md

@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 04/25/2018
+ms.date: 09/18/2018
 ---
 
 # AssignedAccess CSP
@@ -95,15 +95,36 @@ In Windows 10, version 1803, Assigned Access runtime status only supports monito
 
 Note that status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus.
 
-
 |Status code  | KioskModeAppRuntimeStatus |
 |---------|---------|
 | 1     | KioskModeAppRunning         |
 | 2     | KioskModeAppNotFound          |
 | 3     | KioskModeAppActivationFailure         |
 
+Additionally, the status payload includes a profileId that can be used by the MDM server to correlate which kiosk app caused the error.
 
-Additionally, the status payload includes a profileId, which can be used by the MDM server to correlate which kiosk app caused the error.
+In Windows 10, version 1810, Assigned Access runtime status supports monitoring single-app kiosk and multi-app modes. Here are the possible status codes.
+
+|Status|Description|
+|---|---|
+|Running|The AssignedAccess account (kiosk or multi-app) is running normally.|
+|AppNotFound|The kiosk app isn't deployed to the machine.|
+|ActivationFailed|The AssignedAccess account (kiosk or multi-app) failed to sign in.|
+|AppNoResponse|The kiosk app launched successfully but is now unresponsive.|
+
+Note that status codes available in the Status payload correspond to a specific AssignedAccessRuntimeStatus.
+
+|Status code|AssignedAccessRuntimeStatus|
+|---|---|
+|1|Running|
+|2|AppNotFound|
+|3|ActivationFailed|
+|4|AppNoResponse|
+
+Additionally, the Status payload includes the following fields:
+
+- profileId: can be used by the MDM server to correlate which account caused the error.
+- OperationList: list of failed operations that occurred while applying the assigned access CSP, if any exist.
 
 Supported operation is Get.
 
@@ -1116,10 +1137,11 @@ ShellLauncherConfiguration Get
 
     <xs:simpleType name="status_t">
         <xs:restriction base="xs:int">
-            <xs:enumeration value="0"/>
-            <xs:enumeration value="1"/>
-            <xs:enumeration value="2"/>
-            <xs:enumeration value="3"/>
+            <xs:enumeration value="0"/> <!-- Unknown -->
+            <xs:enumeration value="1"/> <!-- Running -->
+            <xs:enumeration value="2"/> <!-- AppNotFound -->
+            <xs:enumeration value="3"/> <!-- ActivationFailed -->
+            <xs:enumeration value="4"/> <!-- AppNoResponse -->
         </xs:restriction>
     </xs:simpleType>
 
@@ -1129,19 +1151,35 @@ ShellLauncherConfiguration Get
         </xs:restriction>
     </xs:simpleType>
 
+    <xs:complexType name="operation_t">
+        <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"/>
+            <xs:element name="errorCode" type="xs:int" minOccurs="1" maxOccurs="1"/>
+            <xs:element name="data" type="xs:string" minOccurs="0" maxOccurs="1"/>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="operationlist_t">
+        <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:element name="Operation" type="operation_t" minOccurs="1" maxOccurs="unbounded"/>
+        </xs:sequence>
+    </xs:complexType>
+
     <xs:complexType name="event_t">
         <xs:sequence minOccurs="1" maxOccurs="1">
             <xs:element name="status" type="status_t" minOccurs="1" maxOccurs="1"/>
             <xs:element name="profileId" type="guid_t" minOccurs="1" maxOccurs="1"/>
+            <xs:element name="errorCode" type="xs:int" minOccurs="0" maxOccurs="1"/>
+            <xs:element name="OperationList" type="operationlist_t" minOccurs="0" maxOccurs="1"/>
         </xs:sequence>
-        <xs:attribute name="Name" type="xs:string" fixed="KioskModeAppRuntimeStatus" use="required"/>
+        <xs:attribute name="Name" type="xs:string" use="required"/>
     </xs:complexType>
 
     <xs:element name="Events">
         <xs:complexType>
-            <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:choice minOccurs="1" maxOccurs="1">
                 <xs:element name="Event" type="event_t" minOccurs="1" maxOccurs="1"/>
-            </xs:sequence>
+            </xs:choice>
         </xs:complexType>
     </xs:element>
 </xs:schema>

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 08/27/2018
+ms.date: 09/20/2018
 ---
 
 # What's new in MDM enrollment and management
@@ -1405,7 +1405,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>Defender/EnableLowCPUPriority</li>
 <li>Defender/SignatureUpdateFallbackOrder</li>
 <li>Defender/SignatureUpdateFileSharesSources</li>
-<li>DeviceGuard/EnableSystemGuard</li>
+<li>DeviceGuard/ConfigureSystemGuardLaunch</li>
 <li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</li>
 <li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</li>
 <li>DeviceInstallation/PreventDeviceMetadataFromNetwork</li>
@@ -1762,9 +1762,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 
 ### September 2018
 
-New or updated topic | Description
---- | ---
-[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).
+|New or updated topic | Description|
+|--- | ---|
+|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).|
+|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.|
 
 ### August 2018
 
@@ -1912,7 +1913,7 @@ New or updated topic | Description
 <li>Defender/EnableLowCPUPriority</li>
 <li>Defender/SignatureUpdateFallbackOrder</li>
 <li>Defender/SignatureUpdateFileSharesSources</li>
-<li>DeviceGuard/EnableSystemGuard</li>
+<li>DeviceGuard/ConfigureSystemGuardLaunch</li>
 <li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</li>
 <li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</li>
 <li>DeviceInstallation/PreventDeviceMetadataFromNetwork</li>

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -987,7 +987,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 
 <dl>
   <dd>
-    <a href="./policy-csp-deviceguard.md#deviceguard-enablesystemguard" id="deviceguard-enablesystemguard">DeviceGuard/EnableSystemGuard</a>
+    <a href="./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch" id="deviceguard-configuresystemguardlaunch">DeviceGuard/ConfigureSystemGuardLaunch</a>
   </dd>
   <dd>
     <a href="./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity" id="deviceguard-enablevirtualizationbasedsecurity">DeviceGuard/EnableVirtualizationBasedSecurity</a>
@@ -4324,7 +4324,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
 -   [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
 -   [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
--   [DeviceGuard/EnableSystemGuard](./policy-csp-deviceguard.md#deviceguard-enablesystemguard)
+-   [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch)
 -   [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity)
 -   [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags)
 -   [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures)

windows/client-management/mdm/policy-csp-deviceguard.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 07/30/2018
+ms.date: 09/20/2018
 ---
 
 # Policy CSP - DeviceGuard
@@ -22,7 +22,7 @@ ms.date: 07/30/2018
 
 <dl>
   <dd>
-    <a href="#deviceguard-enablesystemguard">DeviceGuard/EnableSystemGuard</a>
+    <a href="#deviceguard-configuresystemguardlaunch">DeviceGuard/ConfigureSystemGuardLaunch</a>
   </dd>
   <dd>
     <a href="#deviceguard-enablevirtualizationbasedsecurity">DeviceGuard/EnableVirtualizationBasedSecurity</a>
@@ -39,7 +39,7 @@ ms.date: 07/30/2018
 <hr/>
 
 <!--Policy-->
-<a href="" id="deviceguard-enablesystemguard"></a>**DeviceGuard/EnableSystemGuard**  
+<a href="" id="deviceguard-configuresystemguardlaunch"></a>**DeviceGuard/ConfigureSystemGuardLaunch**  
 
 <!--SupportedSKUs-->
 <table>

windows/client-management/mdm/policy-ddf-file.md

@@ -25635,7 +25635,7 @@ Related policy:
           </DFType>
         </DFProperties>
         <Node>
-          <NodeName>EnableSystemGuard</NodeName>
+          <NodeName>ConfigureSystemGuardLaunch</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -27217,7 +27217,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <Get />
               <Replace />
             </AccessType>
-            <Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user.
+            <Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. 
                         Related policy: PreventUsersFromTurningOnBrowserSyncing
                         0 (default) = allow syncing, 2 = disable syncing</Description>
             <DFFormat>
@@ -33474,7 +33474,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <Replace />
             </AccessType>
             <Description>Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
-
+                
                 This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.</Description>
             <DFFormat>
               <chr/>
@@ -33862,7 +33862,7 @@ If you disable or do not configure this policy (recommended), users will be able
 Notes
 
 If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
-Disabling the Administrator account can become a maintenance issue under certain circumstances.
+Disabling the Administrator account can become a maintenance issue under certain circumstances. 
 
 Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts.  If the computer is domain joined the disabled administrator will not be enabled.
 
@@ -34352,7 +34352,7 @@ The options are:
  No Action
  Lock Workstation
  Force Logoff
- Disconnect if a Remote Desktop Services session
+ Disconnect if a Remote Desktop Services session 
 
 If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
 
@@ -35374,7 +35374,7 @@ This policy setting controls the behavior of all User Account Control (UAC) poli
 
 The options are:
 
-• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
 
 • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.</Description>
             <DFFormat>
@@ -44745,7 +44745,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
               <Get />
               <Replace />
             </AccessType>
-            <Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+            <Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 
 1) The access token that is being impersonated is for this user.
 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
 3) The requested level is less than Impersonate, such as Anonymous or Identify.
@@ -47064,11 +47064,11 @@ Because of these factors, users do not usually need this user right. Warning: If
 
   <xs:element name="ForceRestart">
     <xs:complexType>
-      <xs:attribute name="StartDateTime" type="xs:dateTime" use="required"/>
-      <xs:attribute name="Recurrence" type="recurrence" use="required"/>
-      <xs:attribute name="RunIfTaskIsMissed" type="xs:boolean" use="required"/>
-      <xs:attribute name="DaysOfWeek" type="daysOfWeek"/>
-      <xs:attribute name="DaysOfMonth" type="daysOfMonth"/>
+      <xs:attribute name="StartDateTime" type="xs:dateTime" use="required"/> 
+      <xs:attribute name="Recurrence" type="recurrence" use="required"/> 
+      <xs:attribute name="RunIfTaskIsMissed" type="xs:boolean" use="required"/> 
+      <xs:attribute name="DaysOfWeek" type="daysOfWeek"/> 
+      <xs:attribute name="DaysOfMonth" type="daysOfMonth"/> 
     </xs:complexType>
   </xs:element>
 </xs:schema>]]></MSFT:XMLSchema>
@@ -55084,7 +55084,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <Get />
             </AccessType>
             <DefaultValue>0</DefaultValue>
-            <Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user.
+            <Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. 
                         Related policy: PreventUsersFromTurningOnBrowserSyncing
                         0 (default) = allow syncing, 2 = disable syncing</Description>
             <DFFormat>
@@ -62093,7 +62093,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </AccessType>
             <DefaultValue></DefaultValue>
             <Description>Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
-
+                
                 This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.</Description>
             <DFFormat>
               <chr/>
@@ -62491,7 +62491,7 @@ If you disable or do not configure this policy (recommended), users will be able
 Notes
 
 If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
-Disabling the Administrator account can become a maintenance issue under certain circumstances.
+Disabling the Administrator account can become a maintenance issue under certain circumstances. 
 
 Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts.  If the computer is domain joined the disabled administrator will not be enabled.
 
@@ -63024,7 +63024,7 @@ The options are:
  No Action
  Lock Workstation
  Force Logoff
- Disconnect if a Remote Desktop Services session
+ Disconnect if a Remote Desktop Services session 
 
 If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
 
@@ -64127,7 +64127,7 @@ This policy setting controls the behavior of all User Account Control (UAC) poli
 
 The options are:
 
-• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
 
 • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.</Description>
             <DFFormat>
@@ -74444,7 +74444,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
               <Get />
             </AccessType>
             <DefaultValue></DefaultValue>
-            <Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+            <Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 
 1) The access token that is being impersonated is for this user.
 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
 3) The requested level is less than Impersonate, such as Anonymous or Identify.

windows/configuration/TOC.md

@@ -27,18 +27,17 @@
 ### [Product IDs in Windows 10 Mobile](mobile-devices/product-ids-in-windows-10-mobile.md)
 ### [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md)
 ## [Configure cellular settings for tablets and PCs](provisioning-apn.md)
-## [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md)
-### [Configure Windows Spotlight on the lock screen](windows-spotlight.md)
-### [Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions](manage-tips-and-suggestions.md)
-### [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
-#### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-#### [Customize and export Start layout](customize-and-export-start-layout.md)
-#### [Add image for secondary tiles](start-secondary-tiles.md)
-#### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
-#### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-#### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-#### [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-#### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
+## [Configure Windows Spotlight on the lock screen](windows-spotlight.md)
+## [Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions](manage-tips-and-suggestions.md)
+## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
+### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+### [Customize and export Start layout](customize-and-export-start-layout.md)
+### [Add image for secondary tiles](start-secondary-tiles.md)
+### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
+### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+### [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
 ## [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md)
 ### [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md)
 #### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work/cortana-at-work-scenario-1.md)

windows/configuration/guidelines-for-assigned-access-app.md

@@ -46,7 +46,7 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
 In Windows 10, version 1803, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. 
 
 >[!NOTE]
->Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser.
+>Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs.
 
 
 **Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education).

windows/configuration/index.md

@@ -26,7 +26,9 @@ Enterprises often need to apply custom configurations to devices for their users
 | [Configure kiosk and digital signage devices running Windows 10 desktop editions](kiosk-methods.md) | These topics help you configure Windows 10 devices to run as a kiosk device. |
 | [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app.  |
 | [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. |
-| [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. |
+| [Windows Spotlight on the lock screen](windows-spotlight.md) | Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.</br></br>**Note:** You can also use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. |
+| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage the tips, tricks, and suggestions offered by Windows and Microsoft Store. |
+| [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Pro, Enterprise, or Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. |
 | [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) | The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.  |
 | [Configure access to Microsoft Store](stop-employees-from-using-the-windows-store.md) | IT Pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. |
 | [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md) | Windows 10 includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows. This topic helps IT administrators learn about built-in accessibility features. |

windows/configuration/start-taskbar-lockscreen.md

@@ -1,30 +0,0 @@
----
-title: Configure Start layout, taskbar, and lock screen for Windows 10 PCs (Windows 10)
-description: 
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: jdeckerms
-ms.author: jdecker
-ms.topic: article
-ms.date: 07/27/2017
----
-
-# Configure Start layout, taskbar, and lock screen for Windows 10 PCs 
-
-
-
-## In this section 
-
-| Topic | Description |
-| --- | --- |
-| [Windows Spotlight on the lock screen](windows-spotlight.md) | Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.</br></br>**Note:** You can also use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. |
-| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage the tips, tricks, and suggestions offered by Windows and Microsoft Store. |
-| [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Pro, Enterprise, or Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. |
-
-
-## Related topics
-
-- [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md)

windows/configuration/windows-10-start-layout-options-and-policies.md

@@ -116,7 +116,7 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a
 If your Start layout customization is not applied as expected, open **Event Viewer** and navigate to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**, and check for one of the following events:
 
 - **Event 22** is logged when the xml is malformed, meaning the specified file simply isn’t valid xml.   This can occur if the file has extra spaces or unexpected characters, or if the file is not saved in the UTF8 format.
-- **Event 64**  is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood or source is not found such as a missing or misspelled .lnk.
+- **Event 64**  is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood, elements are not in [the required order](start-layout-xml-desktop.md#required-order), or source is not found, such as a missing or misspelled .lnk.
 
 
 

windows/deployment/TOC.md

@@ -217,6 +217,13 @@
 ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
 ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
 ### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md)
+### [Get started with Windows Update](update/windows-update-overview.md)
+#### [How Windows Update works](update/how-windows-update-works.md)
+#### [Windows Update log files](update/windows-update-logs.md)
+#### [How to troubleshoot Windows Update](update/windows-update-troubleshooting.md)
+#### [Common Windows Update errors](update/windows-update-errors.md)
+#### [Windows Update error code reference](update/windows-update-error-reference.md)
+#### [Other Windows Update resources](update/windows-update-resources.md)
 ### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md)
 #### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md)
 #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)
@@ -234,7 +241,6 @@
 ### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
 ### [Manage device restarts after updates](update/waas-restart.md)
 ### [Manage additional Windows Update settings](update/waas-wu-settings.md)
-### [Determine the source of Windows updates](update/windows-update-sources.md)
 ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
 
 ## [Windows Analytics](update/windows-analytics-overview.md)

windows/deployment/update/change-history-for-update-windows-10.md

@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
 ms.author: daniha
-ms.date: 09/05/2019
+ms.date: 09/18/2018
 ---
 
 # Change history for Update Windows 10
@@ -15,6 +15,13 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc
 
 >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
 
+## September 2018
+
+| New or changed topic | Description |
+| --- | --- |
+| [Get started with Windows Update](windows-update-overview.md) | New | 
+
+
 ## RELEASE: Windows 10, version 1709
 
 The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). 

windows/deployment/update/how-windows-update-works.md

@@ -0,0 +1,142 @@
+---
+title: How Windows Update works 
+description: Learn how Windows Update works, including architecture and troubleshooting
+ms.prod: w10
+ms.mktglfcycl: 
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 09/18/2018
+---
+
+# How does Windows Update work?
+
+>Applies to: Windows 10
+
+The Windows Update workflow has four core areas of functionality: 
+
+### Scan
+
+1. Orchestrator schedules the scan.
+2. Orchestrator vertifies admin approvals and policies for download.
+
+
+### Download
+1. Orchestrator initiates downloads.
+2. Windows Update downloads manifest files and provides them to the arbiter.
+3. The arbiter evaluates the manifest and tells the Windows Update client to download files.
+4. Windows Update client downloads files in a temporary folder.
+5. The arbiter stages the downloaded files.
+
+
+### Install
+1. Orchestrator initates the installation.
+2. The arbiter calls the installer to install the package.
+
+
+### Commit
+1. Orchestrator initiates a restart.
+2. The arbiter finalizes before the restart.
+
+
+## How updating works 
+During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn’t disrupt your computer usage. 
+
+## Scanning updates 
+![Windows Update scanning step](images/update-scan-step.png)
+
+The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.  
+
+When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. 
+
+Make sure you're familiar with the following terminology related to Windows Update scan:
+
+|Term|Definition|
+|----|----------|
+|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.| 
+|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| 
+|Child update|Leaf update that's bundled by another update; contains payload.| 
+|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| 
+|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. |
+|Full scan|Scan with empty datastore.| 
+|Delta scan|Scan with updates from previous scan already cached in datastore.| 
+|Online scan|Scan that hits network and goes against server on cloud. |
+|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. |
+|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.| 
+|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.| 
+|Software sync|Part of the scan that looks at software updates only (OS and apps).|  
+|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.| 
+|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. |
+
+### How Windows Update scanning works 
+ 
+Windows Update takes the following sets of actions when it runs a scan. 
+
+#### Starts the scan for updates  
+When users start scanning in Windows Update through the Settings panel, the following occurs:  
+
+- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates. 
+- "Agent" messages: queueing the scan, then actually starting the work: 
+   - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. 
+   - Windows Update uses the thread ID filtering to concentrate on one particular task. 
+
+      ![Windows Update scan log 1](images/update-scan-log-1.png)
+
+#### Identifies service IDs
+
+- Service IDs indicate which update source is being scanned. 
+   Note The next screen shot shows Microsoft Update and the Flighting service. 
+
+- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. 
+   ![Windows Update scan log 2](images/update-scan-log-2.png)
+- Common service IDs 
+
+   >[!IMPORTANT]
+   >ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses. 
+ 
+|Service|ServiceId|
+|-------|---------| 
+|Unspecified / Default|WU, MU or WSUS <br>00000000-0000-0000-0000-000000000000 |
+|WU|9482F4B4-E343-43B6-B170-9A65BC822C77| 
+|MU|7971f918-a847-4430-9279-4a52d1efe18d| 
+|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| 
+|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| 
+|WSUS or SCCM|Via ServerSelection::ssManagedServer <br>3DA21691-E39D-4da6-8A4B-B43877BCB1B7 |
+|Offline scan service|Via IUpdateServiceManager::AddScanPackageService| 
+
+#### Finds network faults
+Common update failure is caused due to network issues. To find the root of the issue:  
+
+- Look for "ProtocolTalker" messages to see client-server sync network traffic. 
+- "SOAP faults" can be either client- or server-side issues; read the message. 
+- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. 
+
+   >[!NOTE]
+   >Warning messages for SLS can be ignored if the search is against WSUS/SCCM. 
+
+- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured.
+   ![Windows Update scan log 3](images/update-scan-log-3.png)
+   
+## Downloading updates 
+![Windows Update download step](images/update-download-step.png)
+
+Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer.  
+
+To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption. 
+ 
+For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). 
+
+## Installing updates 
+![Windows Update install step](images/update-install-step.png)
+
+When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list".  
+
+The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation. 
+ 
+## Committing Updates 
+![Windows Update commit step](images/update-commit-step.png)
+
+When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or  the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed.  
+
+For more information see [Manage device restarts after updates](waas-restart.md). 

windows/deployment/update/waas-optimize-windows-10-updates.md

@@ -7,7 +7,7 @@ ms.sitesec: library
 author: DaniHalfin
 ms.localizationpriority: medium
 ms.author: daniha
-ms.date: 07/27/2017
+ms.date: 09/24/2018
 ---
 
 # Optimize Windows 10 update delivery
@@ -38,7 +38,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
 
 | Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager |
 | --- | --- | --- | --- | --- |
-| Delivery Optimization | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) |
+| Delivery Optimization | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
 | BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
 
 >[!NOTE]

windows/deployment/update/waas-overview.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 author: Jaimeo
 ms.localizationpriority: medium
 ms.author: jaimeo
-ms.date: 09/07/2018
+ms.date: 09/24/2018
 ---
 
 # Overview of Windows as a service
@@ -121,7 +121,12 @@ Once the latest release went through pilot deployment and testing, you choose th
 
 When Microsoft officially releases a feature update for Windows 10, it is made available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
 
-Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases, while after about 4 months, we will announce broad deployment readiness, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Each feature update release will be supported and updated for 18 months from the time of its release
+
+Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases.  All customers, independent software vendors (ISVs), and partners should use this time for testing and piloting within their environments. After 2-4 months, we will transition to broad deployment and encourage customers and partners to expand and accelerate the deployment of the release. For customers using Windows Update for Business, the Semi-Annual Channel provides three months of additional total deployment time before being required to update to the next release.
+
+>[!NOTE]
+All releases of Windows 10 have 18 months of servicing for all editions--these updates provide security and feature updates for the release. Customers running Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. These versions include Enterprise and Education editions for Windows 10, versions 1607, 1703, 1709 and 1803. Starting in October 2018, all Semi-Annual Channel releases in the September/October timeframe will also have the additional 12 months of servicing for a total of 30 months from the initial release. The Semi-Annual Channel versions released in March/April timeframe will continue to have an 18 month lifecycle.
+
 
 >[!NOTE]
 >Organizations can electively delay feature updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.

windows/deployment/update/windows-update-error-reference.md

@@ -0,0 +1,362 @@
+---
+title: Windows Update error code list by component 
+description: Reference information for Windows Update error codes
+ms.prod: w10
+ms.mktglfcycl: 
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 09/18/2018
+---
+
+# Windows Update error codes by component
+
+>Applies to: Windows 10
+
+
+This section lists the error codes for Microsoft Windows Update. 
+ 
+## Automatic Update Errors 
+
+|Error code|Message|Description| 
+|-|-|-|
+|0x80243FFF|WU_E_AUCLIENT_UNEXPECTED|There was a user interface error not covered by another WU_E_AUCLIENT_* error code.|
+|0x8024A000|WU_E_AU_NOSERVICE|Automatic Updates was unable to service incoming requests. | 
+|0x8024A002|WU_E_AU_NONLEGACYSERVER|The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded.|  
+|0x8024A003 |WU_E_AU_LEGACYCLIENTDISABLED| The old version of the Automatic Updates client was disabled.|  
+|0x8024A004|WU_E_AU_PAUSED|Automatic Updates was unable to process incoming requests because it was paused.|  
+|0x8024A005|WU_E_AU_NO_REGISTERED_SERVICE| No unmanaged service is registered with AU.|  
+|0x8024AFFF|WU_E_AU_UNEXPECTED| An Automatic Updates error not covered by another WU_E_AU * code.|  
+ 
+## Windows Update UI errors 
+
+|Error code|Message|Description| 
+|-|-|-|
+|0x80243001|WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION|The results of download and installation could not be read from the registry due to an unrecognized data format version.|  
+|0x80243002|WU_E_INSTALLATION_RESULTS_INVALID_DATA|The results of download and installation could not be read from the registry due to an invalid data format.|  
+|0x80243003|WU_E_INSTALLATION_RESULTS_NOT_FOUND |The results of download and installation are not available; the operation may have failed to start.|  
+|0x80243004| WU_E_TRAYICON_FAILURE| A failure occurred when trying to create an icon in the taskbar notification area.|
+|0x80243FFD| WU_E_NON_UI_MODE| Unable to show UI when in non-UI mode; WU client UI modules may not be installed.  |
+|0x80243FFE| WU_E_WUCLTUI_UNSUPPORTED_VERSION| Unsupported version of WU client UI exported functions.  |
+|0x80243FFF| WU_E_AUCLIENT_UNEXPECTED| There was a user interface error not covered by another WU_E_AUCLIENT_* error code.  |
+ 
+## Inventory errors 
+
+|Error code|Message|Description| 
+|-|-|-|
+|0x80249001| WU_E_INVENTORY_PARSEFAILED| Parsing of the rule file failed. | 
+|0x80249002| WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED | Failed to get the requested inventory type from the server. | 
+|0x80249003| WU_E_INVENTORY_RESULT_UPLOAD_FAILED| Failed to upload inventory result to the server. | 
+|0x80249004| WU_E_INVENTORY_UNEXPECTED| There was an inventory error not covered by another error code.|  
+|0x80249005| WU_E_INVENTORY_WMI_ERROR| A WMI error occurred when enumerating the instances for a particular class.  |
+ 
+## Expression evaluator errors 
+
+|Error code|Message|Description| 
+|-|-|-|
+|0x8024E001 | WU_E_EE_UNKNOWN_EXPRESSION | An expression evaluator operation could not be completed because an expression was unrecognized.|
+|0x8024E002| WU_E_EE_INVALID_EXPRESSION| An expression evaluator operation could not be completed because an expression was invalid.  |
+|0x8024E003| WU_E_EE_MISSING_METADATA| An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes. | 
+|0x8024E004| WU_E_EE_INVALID_VERSION| An expression evaluator operation could not be completed because the version of the serialized expression data is invalid. | 
+| 0x8024E005| WU_E_EE_NOT_INITIALIZED| The expression evaluator could not be initialized.|  
+| 0x8024E006| WU_E_EE_INVALID_ATTRIBUTEDATA | An expression evaluator operation could not be completed because there was an invalid attribute.|
+| 0x8024E007| WU_E_EE_CLUSTER_ERROR | An expression evaluator operation could not be completed because the cluster state of the computer could not be determined. | 
+| 0x8024EFFF| WU_E_EE_UNEXPECTED| There was an expression evaluator error not covered by another WU_E_EE_* error code.  |
+ 
+## Reporter errors 
+
+|Error code|Message|Description| 
+|-|-|-|
+| 0x80247001| WU_E_OL_INVALID_SCANFILE | An operation could not be completed because the scan package was invalid.|  
+|0x80247002| WU_E_OL_NEWCLIENT_REQUIRED| An operation could not be completed because the scan package requires a greater version of the Windows Update Agent.|  
+| 0x80247FFF| WU_E_OL_UNEXPECTED| Search using the scan package failed. | 
+| 0x8024F001| WU_E_REPORTER_EVENTCACHECORRUPT| The event cache file was defective. | 
+| 0x8024F002 | WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED | The XML in the event namespace descriptor could not be parsed.|  
+| 0x8024F003| WU_E_INVALID_EVENT| The XML in the event namespace descriptor could not be parsed.|  
+| 0x8024F004| WU_E_SERVER_BUSY| The server rejected an event because the server was too busy.|  
+| 0x8024FFFF| WU_E_REPORTER_UNEXPECTED| There was a reporter error not covered by another error code. | 
+ 
+## Redirector errors  
+The components that download the Wuredir.cab file and then parse the Wuredir.cab file generate the following errors. 
+
+|Error code|Message|Description |
+|-|-|-|
+| 0x80245001| WU_E_REDIRECTOR_LOAD_XML| The redirector XML document could not be loaded into the DOM class.  |
+| 0x80245002| WU_E_REDIRECTOR_S_FALSE| The redirector XML document is missing some required information. | 
+| 0x80245003| WU_E_REDIRECTOR_ID_SMALLER| The redirectorId in the downloaded redirector cab is less than in the cached cab.  |
+| 0x80245FFF| WU_E_REDIRECTOR_UNEXPECTED| The redirector failed for reasons not covered by another WU_E_REDIRECTOR_* error code.  |
+ 
+## Protocol Talker errors  
+The following errors map to SOAPCLIENT_ERRORs through the Atlsoap.h file. These errors are obtained when the CClientWebService object calls the GetClientError() method.  
+
+|Error code|Message|Description|
+|-|-|-| 
+| 0x80244000| WU_E_PT_SOAPCLIENT_BASE| WU_E_PT_SOAPCLIENT_* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library.|
+|0x80244001| WU_E_PT_SOAPCLIENT_INITIALIZE| Same as SOAPCLIENT_INITIALIZE_ERROR - initialization of the SOAP client failed possibly because of an MSXML installation failure. |
+| 0x80244002| WU_E_PT_SOAPCLIENT_OUTOFMEMORY| Same as SOAPCLIENT_OUTOFMEMORY - SOAP client failed because it ran out of memory. | 
+| 0x80244003| WU_E_PT_SOAPCLIENT_GENERATE| Same as SOAPCLIENT_GENERATE_ERROR - SOAP client failed to generate the request.|  
+| 0x80244004| WU_E_PT_SOAPCLIENT_CONNECT| Same as SOAPCLIENT_CONNECT_ERROR - SOAP client failed to connect to the server. |
+| 0x80244005| WU_E_PT_SOAPCLIENT_SEND| Same as SOAPCLIENT_SEND_ERROR - SOAP client failed to send a message for reasons of WU_E_WINHTTP_* error codes.|
+| 0x80244006| WU_E_PT_SOAPCLIENT_SERVER| Same as SOAPCLIENT_SERVER_ERROR - SOAP client failed because there was a server error. | 
+| 0x80244007| WU_E_PT_SOAPCLIENT_SOAPFAULT| Same as SOAPCLIENT_SOAPFAULT - SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_* error codes.|
+| 0x80244008| WU_E_PT_SOAPCLIENT_PARSEFAULT| Same as SOAPCLIENT_PARSEFAULT_ERROR - SOAP client failed to parse a SOAP fault.|  
+| 0x80244009| WU_E_PT_SOAPCLIENT_READ| Same as SOAPCLIENT_READ_ERROR - SOAP client failed while reading the response from the server.|
+| 0x8024400A| WU_E_PT_SOAPCLIENT_PARSE| Same as SOAPCLIENT_PARSE_ERROR - SOAP client failed to parse the response from the server. |
+ 
+ 
+ 
+## Other Protocol Talker errors 
+The following errors map to SOAP_ERROR_CODEs from the Atlsoap.h file. These errors are obtained from the m_fault.m_soapErrCode member of the CClientWebService object when GetClientError() returns SOAPCLIENT_SOAPFAULT. 
+
+|Error code|Message|Description| 
+|-|-|-|
+| 0x8024400B| WU_E_PT_SOAP_VERSION| Same as SOAP_E_VERSION_MISMATCH - SOAP client found an unrecognizable namespace for the SOAP envelope.|
+| 0x8024400C| WU_E_PT_SOAP_MUST_UNDERSTAND| Same as SOAP_E_MUST_UNDERSTAND - SOAP client was unable to understand a header.  |
+| 0x8024400D| WU_E_PT_SOAP_CLIENT| Same as SOAP_E_CLIENT - SOAP client found the message was malformed; fix before resending. |
+| 0x8024400E| WU_E_PT_SOAP_SERVER| Same as SOAP_E_SERVER - The SOAP message could not be processed due to a server error; resend later. |
+| 0x8024400F| WU_E_PT_WMI_ERROR| There was an unspecified Windows Management Instrumentation (WMI) error.|  
+| 0x80244010| WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS| The number of round trips to the server exceeded the maximum limit. |
+| 0x80244011| WU_E_PT_SUS_SERVER_NOT_SET| WUServer policy value is missing in the registry. | 
+| 0x80244012| WU_E_PT_DOUBLE_INITIALIZATION| Initialization failed because the object was already initialized. |
+| 0x80244013| WU_E_PT_INVALID_COMPUTER_NAME| The computer name could not be determined. |
+| 0x80244015| WU_E_PT_REFRESH_CACHE_REQUIRED| The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry.|  
+| 0x80244016| WU_E_PT_HTTP_STATUS_BAD_REQUEST| Same as HTTP status 400 - the server could not process the request due to invalid syntax. |
+| 0x80244017| WU_E_PT_HTTP_STATUS_DENIED| Same as HTTP status 401 - the requested resource requires user authentication. |
+| 0x80244018| WU_E_PT_HTTP_STATUS_FORBIDDEN| Same as HTTP status 403 - server understood the request but declined to fulfill it.| 
+| 0x80244019| WU_E_PT_HTTP_STATUS_NOT_FOUND| Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier). |
+| 0x8024401A| WU_E_PT_HTTP_STATUS_BAD_METHOD| Same as HTTP status 405 - the HTTP method is not allowed.  |
+| 0x8024401B| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ| Same as HTTP status 407 - proxy authentication is required. | 
+| 0x8024401C| WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT| Same as HTTP status 408 - the server timed out waiting for the request. |
+| 0x8024401D| WU_E_PT_HTTP_STATUS_CONFLICT| Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource. |
+| 0x8024401E| WU_E_PT_HTTP_STATUS_GONE| Same as HTTP status 410 - requested resource is no longer available at the server.|
+| 0x8024401F| WU_E_PT_HTTP_STATUS_SERVER_ERROR| Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. |
+| 0x80244020| WU_E_PT_HTTP_STATUS_NOT_SUPPORTED| Same as HTTP status 500 - server does not support the functionality required to fulfill the request. | 
+| 0x80244021| WU_E_PT_HTTP_STATUS_BAD_GATEWAY |Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request.| 
+| 0x80244022| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL| Same as HTTP status 503 - the service is temporarily overloaded.  |
+| 0x80244023| WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT| Same as HTTP status 503 - the request was timed out waiting for a gateway. |
+| 0x80244024| WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP| Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request. | 
+| 0x80244025| WU_E_PT_FILE_LOCATIONS_CHANGED| Operation failed due to a changed file location; refresh internal state and resend.|  
+| 0x80244026| WU_E_PT_REGISTRATION_NOT_SUPPORTED| Operation failed because Windows Update Agent does not support registration with a non-WSUS server. | 
+| 0x80244027| WU_E_PT_NO_AUTH_PLUGINS_REQUESTED| The server returned an empty authentication information list.  |
+| 0x80244028| WU_E_PT_NO_AUTH_COOKIES_CREATED| Windows Update Agent was unable to create any valid authentication cookies. | 
+| 0x80244029| WU_E_PT_INVALID_CONFIG_PROP| A configuration property value was wrong. | 
+| 0x8024402A| WU_E_PT_CONFIG_PROP_MISSING| A configuration property value was missing. | 
+| 0x8024402B| WU_E_PT_HTTP_STATUS_NOT_MAPPED| The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_* error codes. |
+| 0x8024402C| WU_E_PT_WINHTTP_NAME_NOT_RESOLVED| Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved. |
+| 0x8024402F| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS| External cab file processing completed with some errors.|
+| 0x80244030| WU_E_PT_ECP_INIT_FAILED| The external cab processor initialization did not complete. |
+| 0x80244031| WU_E_PT_ECP_INVALID_FILE_FORMAT| The format of a metadata file was invalid. |
+| 0x80244032| WU_E_PT_ECP_INVALID_METADATA| External cab processor found invalid metadata. |
+| 0x80244033| WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST| The file digest could not be extracted from an external cab file. |
+| 0x80244034| WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE| An external cab file could not be decompressed. |
+| 0x80244035| WU_E_PT_ECP_FILE_LOCATION_ERROR| External cab processor was unable to get file locations. |
+| 0x80244FFF| WU_E_PT_UNEXPECTED| A communication error not covered by another WU_E_PT_* error code. |
+| 0x8024502D| WU_E_PT_SAME_REDIR_ID| Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. |
+| 0x8024502E| WU_E_PT_NO_MANAGED_RECOVER| A redirector recovery action did not complete because the server is managed. | 
+ 
+## Download Manager errors 
+
+|Error code|Message|Description|
+|-|-|-| 
+| 0x80246001| WU_E_DM_URLNOTAVAILABLE| A download manager operation could not be completed because the requested file does not have a URL. |
+| 0x80246002| WU_E_DM_INCORRECTFILEHASH| A download manager operation could not be completed because the file digest was not recognized. |
+| 0x80246003| WU_E_DM_UNKNOWNALGORITHM| A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm. | 
+| 0x80246004| WU_E_DM_NEEDDOWNLOADREQUEST| An operation could not be completed because a download request is required from the download handler. |
+| 0x80246005| WU_E_DM_NONETWORK| A download manager operation could not be completed because the network connection was unavailable. |
+| 0x80246006| WU_E_DM_WRONGBITSVERSION| A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible.|  
+| 0x80246007| WU_E_DM_NOTDOWNLOADED| The update has not been downloaded. | 
+| 0x80246008| WU_E_DM_FAILTOCONNECTTOBITS| A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS).|  
+| 0x80246009|WU_E_DM_BITSTRANSFERERROR| A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.  |
+| 0x8024600A| WU_E_DM_DOWNLOADLOCATIONCHANGED| A download must be restarted because the location of the source of the download has changed.|  
+| 0x8024600B| WU_E_DM_CONTENTCHANGED| A download must be restarted because the update content changed in a new revision.  |
+| 0x80246FFF| WU_E_DM_UNEXPECTED| There was a download manager error not covered by another WU_E_DM_* error code.  |
+ 
+## Update Handler errors 
+
+|Error code|Message|Description| 
+|-|-|-|
+| 0x80242000| WU_E_UH_REMOTEUNAVAILABLE|9 A request for a remote update handler could not be completed because no remote process is available. |
+| 0x80242001| WU_E_UH_LOCALONLY| A request for a remote update handler could not be completed because the handler is local only. |
+| 0x80242002| WU_E_UH_UNKNOWNHANDLER| A request for an update handler could not be completed because the handler could not be recognized. |
+| 0x80242003| WU_E_UH_REMOTEALREADYACTIVE| A remote update handler could not be created because one already exists.  |
+| 0x80242004| WU_E_UH_DOESNOTSUPPORTACTION| A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall).|  
+| 0x80242005| WU_E_UH_WRONGHANDLER| An operation did not complete because the wrong handler was specified.  |
+| 0x80242006| WU_E_UH_INVALIDMETADATA| A handler operation could not be completed because the update contains invalid metadata. |
+| 0x80242007| WU_E_UH_INSTALLERHUNG| An operation could not be completed because the installer exceeded the time limit. |
+| 0x80242008| WU_E_UH_OPERATIONCANCELLED| An operation being done by the update handler was cancelled. | 
+| 0x80242009| WU_E_UH_BADHANDLERXML| An operation could not be completed because the handler-specific metadata is invalid.  |
+| 0x8024200A| WU_E_UH_CANREQUIREINPUT| A request to the handler to install an update could not be completed because the update requires user input. | 
+| 0x8024200B| WU_E_UH_INSTALLERFAILURE| The installer failed to install (uninstall) one or more updates.  |
+| 0x8024200C| WU_E_UH_FALLBACKTOSELFCONTAINED| The update handler should download self-contained content rather than delta-compressed content for the update. | 
+| 0x8024200D| WU_E_UH_NEEDANOTHERDOWNLOAD| The update handler did not install the update because it needs to be downloaded again.  |
+| 0x8024200E| WU_E_UH_NOTIFYFAILURE| The update handler failed to send notification of the status of the install (uninstall) operation.  |
+| 0x8024200F| WU_E_UH_INCONSISTENT_FILE_NAMES | The file names contained in the update metadata and in the update package are inconsistent.  |
+| 0x80242010| WU_E_UH_FALLBACKERROR| The update handler failed to fall back to the self-contained content.  |
+| 0x80242011| WU_E_UH_TOOMANYDOWNLOADREQUESTS| The update handler has exceeded the maximum number of download requests.  |
+| 0x80242012| WU_E_UH_UNEXPECTEDCBSRESPONSE| The update handler has received an unexpected response from CBS.  |
+| 0x80242013| WU_E_UH_BADCBSPACKAGEID| The update metadata contains an invalid CBS package identifier.  |
+| 0x80242014| WU_E_UH_POSTREBOOTSTILLPENDING| The post-reboot operation for the update is still in progress.  |
+| 0x80242015| WU_E_UH_POSTREBOOTRESULTUNKNOWN| The result of the post-reboot operation for the update could not be determined.  |
+| 0x80242016| WU_E_UH_POSTREBOOTUNEXPECTEDSTATE| The state of the update after its post-reboot operation has completed is unexpected.  |
+| 0x80242017| WU_E_UH_NEW_SERVICING_STACK_REQUIRED| The OS servicing stack must be updated before this update is downloaded or installed.  |
+| 0x80242FFF| WU_E_UH_UNEXPECTED| An update handler error not covered by another WU_E_UH_* code.  |
+ 
+## Data Store errors  
+
+|Error code|Message|Description |
+|-|-|-|
+| 0x80248000| WU_E_DS_SHUTDOWN| An operation failed because Windows Update Agent is shutting down.  |
+| 0x80248001| WU_E_DS_INUSE| An operation failed because the data store was in use.|  
+| 0x80248002| WU_E_DS_INVALID| The current and expected states of the data store do not match.|  
+| 0x80248003| WU_E_DS_TABLEMISSING| The data store is missing a table.  |
+| 0x80248004| WU_E_DS_TABLEINCORRECT| The data store contains a table with unexpected columns.  |
+| 0x80248005| WU_E_DS_INVALIDTABLENAME| A table could not be opened because the table is not in the data store. |
+| 0x80248006| WU_E_DS_BADVERSION| The current and expected versions of the data store do not match. |
+| 0x80248007| WU_E_DS_NODATA| The information requested is not in the data store.  |
+| 0x80248008| WU_E_DS_MISSINGDATA| The data store is missing required information or has a NULL in a table column that requires a non-null value.  |
+| 0x80248009| WU_E_DS_MISSINGREF| The data store is missing required information or has a reference to missing license terms file localized property or linked row. |
+| 0x8024800A| WU_E_DS_UNKNOWNHANDLER| The update was not processed because its update handler could not be recognized.  |
+| 0x8024800B| WU_E_DS_CANTDELETE| The update was not deleted because it is still referenced by one or more services.  |
+| 0x8024800C| WU_E_DS_LOCKTIMEOUTEXPIRED| The data store section could not be locked within the allotted time.  |
+| 0x8024800D| WU_E_DS_NOCATEGORIES | The category was not added because it contains no parent categories and is not a top-level category itself.  |
+| 0x8024800E| WU_E_DS_ROWEXISTS| The row was not added because an existing row has the same primary key.  |
+| 0x8024800F| WU_E_DS_STOREFILELOCKED| The data store could not be initialized because it was locked by another process.  |
+| 0x80248010| WU_E_DS_CANNOTREGISTER| The data store is not allowed to be registered with COM in the current process.  
+| 0x80248011| WU_E_DS_UNABLETOSTART| Could not create a data store object in another process.  
+| 0x80248013| WU_E_DS_DUPLICATEUPDATEID |The server sent the same update to the client with two different revision IDs.  
+| 0x80248014 |WU_E_DS_UNKNOWNSERVICE| An operation did not complete because the service is not in the data store.  
+| 0x80248015 |WU_E_DS_SERVICEEXPIRED |An operation did not complete because the registration of the service has expired.  
+| 0x80248016 | WU_E_DS_DECLINENOTALLOWED | A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.  
+| 0x80248017 | WU_E_DS_TABLESESSIONMISMATCH| A table was not closed because it is not associated with the session.  
+| 0x80248018 | WU_E_DS_SESSIONLOCKMISMATCH| A table was not closed because it is not associated with the session.  
+| 0x80248019 | WU_E_DS_NEEDWINDOWSSERVICE| A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service.  
+| 0x8024801A | WU_E_DS_INVALIDOPERATION| A request was declined because the operation is not allowed.  
+| 0x8024801B | WU_E_DS_SCHEMAMISMATCH| The schema of the current data store and the schema of a table in a backup XML document do not match.  
+| 0x8024801C | WU_E_DS_RESETREQUIRED| The data store requires a session reset; release the session and retry with a new session.  
+| 0x8024801D | WU_E_DS_IMPERSONATED| A data store operation did not complete because it was requested with an impersonated identity.  
+| 0x80248FFF | WU_E_DS_UNEXPECTED| A data store error not covered by another WU_E_DS_* code.  
+ 
+## Driver Util errors  
+The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. 
+
+|Error code|Message|Description 
+|-|-|-|
+| 0x8024C001 | WU_E_DRV_PRUNED| A driver was skipped.  
+| 0x8024C002 |WU_E_DRV_NOPROP_OR_LEGACY| A property for the driver could not be found. It may not conform with required specifications.  
+| 0x8024C003 | WU_E_DRV_REG_MISMATCH| The registry type read for the driver does not match the expected type.  
+| 0x8024C004 | WU_E_DRV_NO_METADATA| The driver update is missing metadata.  
+| 0x8024C005 | WU_E_DRV_MISSING_ATTRIBUTE| The driver update is missing a required attribute.  
+| 0x8024C006| WU_E_DRV_SYNC_FAILED| Driver synchronization failed.  
+| 0x8024C007 | WU_E_DRV_NO_PRINTER_CONTENT| Information required for the synchronization of applicable printers is missing.  
+| 0x8024CFFF | WU_E_DRV_UNEXPECTED| A driver error not covered by another WU_E_DRV_* code.  
+ 
+## Windows Update error codes 
+
+|Error code|Message|Description 
+|-|-|-|
+| 0x80240001 | WU_E_NO_SERVICE| Windows Update Agent was unable to provide the service.  
+| 0x80240002 | WU_E_MAX_CAPACITY_REACHED | The maximum capacity of the service was exceeded.  
+| 0x80240003 | WU_E_UNKNOWN_ID| An ID cannot be found.  
+| 0x80240004 | WU_E_NOT_INITIALIZED| The object could not be initialized.  
+| 0x80240005 | WU_E_RANGEOVERLAP |The update handler requested a byte range overlapping a previously requested range.  
+| 0x80240006 | WU_E_TOOMANYRANGES| The requested number of byte ranges exceeds the maximum number (2^31 - 1).  
+| 0x80240007 | WU_E_INVALIDINDEX| The index to a collection was invalid.  
+| 0x80240008 | WU_E_ITEMNOTFOUND| The key for the item queried could not be found.  
+| 0x80240009 | WU_E_OPERATIONINPROGRESS| Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.  
+| 0x8024000A | WU_E_COULDNOTCANCEL| Cancellation of the operation was not allowed.  
+| 0x8024000B | WU_E_CALL_CANCELLED| Operation was cancelled.  
+| 0x8024000C | WU_E_NOOP| No operation was required.  
+| 0x8024000D | WU_E_XML_MISSINGDATA| Windows Update Agent could not find required information in the update's XML data.  
+| 0x8024000E | WU_E_XML_INVALID| Windows Update Agent found invalid information in the update's XML data.  
+| 0x8024000F | WU_E_CYCLE_DETECTED | Circular update relationships were detected in the metadata.  
+| 0x80240010 | WU_E_TOO_DEEP_RELATION| Update relationships too deep to evaluate were evaluated.  
+| 0x80240011 | WU_E_INVALID_RELATIONSHIP| An invalid update relationship was detected.  
+| 0x80240012 | WU_E_REG_VALUE_INVALID| An invalid registry value was read.  
+| 0x80240013 | WU_E_DUPLICATE_ITEM| Operation tried to add a duplicate item to a list.  
+| 0x80240016 | WU_E_INSTALL_NOT_ALLOWED| Operation tried to install while another installation was in progress or the system was pending a mandatory restart.  
+| 0x80240017 | WU_E_NOT_APPLICABLE| Operation was not performed because there are no applicable updates.  
+| 0x80240018 | WU_E_NO_USERTOKEN| Operation failed because a required user token is missing.  
+| 0x80240019 | WU_E_EXCLUSIVE_INSTALL_CONFLICT| An exclusive update cannot be installed with other updates at the same time.  
+| 0x8024001A | WU_E_POLICY_NOT_SET | A policy value was not set.  
+| 0x8024001B | WU_E_SELFUPDATE_IN_PROGRESS| The operation could not be performed because the Windows Update Agent is self-updating.  
+| 0x8024001D | WU_E_INVALID_UPDATE| An update contains invalid metadata.  
+| 0x8024001E | WU_E_SERVICE_STOP| Operation did not complete because the service or system was being shut down.  
+| 0x8024001F | WU_E_NO_CONNECTION| Operation did not complete because the network connection was unavailable.  
+| 0x80240020 | WU_E_NO_INTERACTIVE_USER| Operation did not complete because there is no logged-on interactive user.  
+| 0x80240021 | WU_E_TIME_OUT| Operation did not complete because it timed out.  
+| 0x80240022 | WU_E_ALL_UPDATES_FAILED| Operation failed for all the updates.  
+| 0x80240023 | WU_E_EULAS_DECLINED| The license terms for all updates were declined.  
+| 0x80240024 | WU_E_NO_UPDATE| There are no updates.  
+| 0x80240025 | WU_E_USER_ACCESS_DISABLED| Group Policy settings prevented access to Windows Update.  
+| 0x80240026 | WU_E_INVALID_UPDATE_TYPE| The type of update is invalid.  
+| 0x80240027 | WU_E_URL_TOO_LONG| The URL exceeded the maximum length.  
+| 0x80240028 | WU_E_UNINSTALL_NOT_ALLOWED| The update could not be uninstalled because the request did not originate from a WSUS server.  
+| 0x80240029 | WU_E_INVALID_PRODUCT_LICENSE| Search may have missed some updates before there is an unlicensed application on the system.  
+| 0x8024002A | WU_E_MISSING_HANDLER| A component required to detect applicable updates was missing.  
+| 0x8024002B | WU_E_LEGACYSERVER| An operation did not complete because it requires a newer version of server.  
+| 0x8024002C | WU_E_BIN_SOURCE_ABSENT| A delta-compressed update could not be installed because it required the source.  
+| 0x8024002D | WU_E_SOURCE_ABSENT| A full-file update could not be installed because it required the source.  
+| 0x8024002E | WU_E_WU_DISABLED| Access to an unmanaged server is not allowed.  
+| 0x8024002F | WU_E_CALL_CANCELLED_BY_POLICY| Operation did not complete because the DisableWindowsUpdateAccess policy was set.  
+| 0x80240030 | WU_E_INVALID_PROXY_SERVER| The format of the proxy list was invalid.  
+| 0x80240031 | WU_E_INVALID_FILE| The file is in the wrong format.  
+| 0x80240032 | WU_E_INVALID_CRITERIA| The search criteria string was invalid.  
+| 0x80240033 | WU_E_EULA_UNAVAILABLE| License terms could not be downloaded.  
+| 0x80240034 | WU_E_DOWNLOAD_FAILED| Update failed to download.  
+| 0x80240035 | WU_E_UPDATE_NOT_PROCESSED| The update was not processed.  
+| 0x80240036 | WU_E_INVALID_OPERATION| The object's current state did not allow the operation.  
+| 0x80240037 | WU_E_NOT_SUPPORTED| The functionality for the operation is not supported.  
+| 0x80240038 | WU_E_WINHTTP_INVALID_FILE| The downloaded file has an unexpected content type.  
+| 0x80240039 | WU_E_TOO_MANY_RESYNC| Agent is asked by server to resync too many times.  
+| 0x80240040 | WU_E_NO_SERVER_CORE_SUPPORT| WUA API method does not run on Server Core installation.  
+| 0x80240041 | WU_E_SYSPREP_IN_PROGRESS| Service is not available while sysprep is running.  
+| 0x80240042 | WU_E_UNKNOWN_SERVICE| The update service is no longer registered with AU.  
+| 0x80240043 | WU_E_NO_UI_SUPPORT| There is no support for WUA UI.  
+| 0x80240FFF | WU_E_UNEXPECTED| An operation failed due to reasons not covered by another error code.  
+ 
+## Windows Update success codes 
+
+|Error code|Message|Description 
+|-|-|-|
+| 0x00240001| WU_S_SERVICE_STOP| Windows Update Agent was stopped successfully.  
+| 0x00240002 | WU_S_SELFUPDATE| Windows Update Agent updated itself.  
+| 0x00240003 | WU_S_UPDATE_ERROR| Operation completed successfully but there were errors applying the updates.  
+| 0x00240004 | WU_S_MARKED_FOR_DISCONNECT| A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing.  
+| 0x00240005 | WU_S_REBOOT_REQUIRED| The system must be restarted to complete installation of the update.  
+| 0x00240006 | WU_S_ALREADY_INSTALLED| The update to be installed is already installed on the system.  
+| 0x00240007 | WU_S_ALREADY_UNINSTALLED | The update to be removed is not installed on the system.  
+| 0x00240008 | WU_S_ALREADY_DOWNLOADED| The update to be downloaded has already been downloaded.  
+ 
+## Windows Installer minor errors  
+The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer.  
+
+|Error code|Message|Description 
+|-|-|-|
+| 0x80241001 |WU_E_MSI_WRONG_VERSION| Search may have missed some updates because the Windows Installer is less than version 3.1.  
+| 0x80241002 | WU_E_MSI_NOT_CONFIGURED| Search may have missed some updates because the Windows Installer is not configured.  
+| 0x80241003 | WU_E_MSP_DISABLED| Search may have missed some updates because policy has disabled Windows Installer patching.  
+| 0x80241004 | WU_E_MSI_WRONG_APP_CONTEXT| An update could not be applied because the application is installed per-user.  
+| 0x80241FFF | WU_E_MSP_UNEXPECTED| Search may have missed some updates because there was a failure of the Windows Installer.  
+ 
+## Windows Update Agent update and setup errors 
+
+|Error code|Message|Description 
+|-|-|-|
+| 0x8024D001 | WU_E_SETUP_INVALID_INFDATA| Windows Update Agent could not be updated because an INF file contains invalid information.  
+| 0x8024D002 | WU_E_SETUP_INVALID_IDENTDATA| Windows Update Agent could not be updated because the wuident.cab file contains invalid information.  
+| 0x8024D003 | WU_E_SETUP_ALREADY_INITIALIZED| Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice.  
+| 0x8024D004 | WU_E_SETUP_NOT_INITIALIZED| Windows Update Agent could not be updated because setup initialization never completed successfully.  
+| 0x8024D005 | WU_E_SETUP_SOURCE_VERSION_MISMATCH| Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions.  
+| 0x8024D006 | WU_E_SETUP_TARGET_VERSION_GREATER| Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file.  
+| 0x8024D007 | WU_E_SETUP_REGISTRATION_FAILED| Windows Update Agent could not be updated because regsvr32.exe returned an error.  
+| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE| An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.  
+| 0x8024D00A | WU_E_SETUP_UNSUPPORTED_CONFIGURATION| Windows Update Agent could not be updated because the current system configuration is not supported.  
+| 0x8024D00B | WU_E_SETUP_BLOCKED_CONFIGURATION| Windows Update Agent could not be updated because the system is configured to block the update.  
+| 0x8024D00C | WU_E_SETUP_REBOOT_TO_FIX| Windows Update Agent could not be updated because a restart of the system is required.  
+| 0x8024D00D | WU_E_SETUP_ALREADYRUNNING| Windows Update Agent setup is already running.  
+| 0x8024D00E | WU_E_SETUP_REBOOTREQUIRED| Windows Update Agent setup package requires a reboot to complete installation.  
+| 0x8024D00F | WU_E_SETUP_HANDLER_EXEC_FAILURE| Windows Update Agent could not be updated because the setup handler failed during execution.  
+| 0x8024D010 | WU_E_SETUP_INVALID_REGISTRY_DATA| Windows Update Agent could not be updated because the registry contains invalid information.  
+| 0x8024D013 | WU_E_SETUP_WRONG_SERVER_VERSION| Windows Update Agent could not be updated because the server does not contain update information for this version.  
+| 0x8024DFFF | WU_E_SETUP_UNEXPECTED| Windows Update Agent could not be updated because of an error not covered by another WU_E_SETUP_* error code.  

windows/deployment/update/windows-update-errors.md

@@ -0,0 +1,35 @@
+---
+title: Windows Update common errors and mitigation
+description: Learn about some common issues you might experience with Windows Update
+ms.prod: w10
+ms.mktglfcycl: 
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 09/18/2018
+---
+
+# Windows Update common errors and mitigation
+
+>Applies to: Windows 10
+
+The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them.
+
+|Error Code|Message|Description|Mitigation|
+|-|-|-|-| 
+|0x8024402F|WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS|External cab file processing completed with some errors|One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering. <br>The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed |
+|0x80242006|WU_E_UH_INVALIDMETADATA|A handler operation could not be completed because the update contains invalid metadata.|Rename Software Redistribution Folder and attempt to download the updates again: <br>Rename the following folders to *.BAK: <br>- %systemroot%\system32\catroot2 <br><br>To do this, type the following commands at a command prompt. Press ENTER after you type each command.<br>- Ren %systemroot%\SoftwareDistribution\DataStore *.bak<br>- Ren %systemroot%\SoftwareDistribution\Download *.bak<br>Ren %systemroot%\system32\catroot2 *.bak |
+|0x80070BC9|ERROR_FAIL_REBOOT_REQUIRED|The requested operation failed. A system reboot is required to roll back changes made.|Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS.|  
+|0x80200053|BG_E_VALIDATION_FAILED|NA|Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.<br><br>If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). |  
+|0x80072EE2|WININET_E_TIMEOUT|The operation timed out|This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked: <br> http://*.update.microsoft.com<br>https://*.update.microsoft.com <br>http://download.windowsupdate.com  <br><br>Additionally , you can take a network trace and see what is timing out. <Refer to Firewall Troubleshooting scenario> |
+|0x80072EFD <br>0x80072EFE <br>0x80D02002|TIME OUT ERRORS|The operation timed out|Make sure there are no firewall rules or proxy to block Microsoft download URLs. <br>Take a network monitor trace to understand better. <Refer to Firewall Troubleshooting scenario>| 
+|0X8007000D|ERROR_INVALID_DATA|Indicates invalid data downloaded or corruption occurred.|Attempt to re-download the update and initiate installation. |
+|0x8024A10A|USO_E_SERVICE_SHUTTING_DOWN|Indicates that the WU Service is shutting down.|This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. |
+|0x80240020|WU_E_NO_INTERACTIVE_USER|Operation did not complete because there is no logged-on interactive user.|Please login to the system to initiate the installation and allow the system to be rebooted.  |
+|0x80242014|WU_E_UH_POSTREBOOTSTILLPENDING|The post-reboot operation for the update is still in progress.|Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. |
+|0x80246017|WU_E_DM_UNAUTHORIZED_LOCAL_USER|The download failed because the local user was denied authorization to download the content.|Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).|
+|0x8024000B|WU_E_CALL_CANCELLED|Operation was cancelled.|This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete.| 
+|0x8024000E|WU_E_XML_INVALID|Windows Update Agent found invalid information in the update's XML data.|Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | 
+|0x8024D009|WU_E_SETUP_SKIP_UPDATE|An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.|You may encounter this error when WSUS is not sending the Self-update to the clients.<br><br>Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue.| 
+|0x80244007|WU_E_PT_SOAPCLIENT_SOAPFAULT|SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_* error codes.|This issue occurs because Windows cannot renew the cookies for Windows Update.  <br><br>Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue.| 

windows/deployment/update/windows-update-logs.md

@@ -0,0 +1,142 @@
+---
+title: Windows Update log files 
+description: Learn about the Windows Update log files
+ms.prod: w10
+ms.mktglfcycl: 
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 09/18/2018
+---
+
+# Windows Update log files
+
+>Applies to: Windows 10
+
+The following table describes the log files created by Windows Update.
+
+
+|Log file|Location|Description|When to Use |
+|-|-|-|-|
+|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.|
+|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered.  <br>When Updates are downloaded but installation is not triggered.<br>When Updates are installed but reboot is not triggered. |
+|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. |
+|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.|
+
+## Generating WindowsUpdate.log 
+To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps). 
+
+>[!NOTE]
+>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. 
+ 
+### Windows Update log components 
+The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: 
+
+- AGENT- Windows Update agent 
+- AU - Automatic Updates is performing this task 
+- AUCLNT- Interaction between AU and the logged-on user 
+- CDM- Device Manager 
+- CMPRESS- Compression agent 
+- COMAPI- Windows Update API 
+- DRIVER- Device driver information 
+- DTASTOR- Handles database transactions 
+- EEHNDLER- Expression handler that's used to evaluate update applicability 
+- HANDLER- Manages the update installers 
+- MISC- General service information 
+- OFFLSNC- Detects available updates without network connection 
+- PARSER- Parses expression information 
+- PT- Synchronizes updates information to the local datastore 
+- REPORT- Collects reporting information 
+- SERVICE- Startup/shutdown of the Automatic Updates service 
+- SETUP- Installs new versions of the Windows Update client when it is available 
+- SHUTDWN- Install at shutdown feature 
+- WUREDIR- The Windows Update redirector files 
+- WUWEB- The Windows Update ActiveX control 
+- ProtocolTalker - Client-server sync 
+- DownloadManager - Creates and monitors payload downloads 
+- Handler, Setup -  Installer handlers (CBS, and so on) 
+- EEHandler -  Evaluating update applicability rules 
+- DataStore - Caching update data locally 
+- IdleTimer - Tracking active calls, stopping a service 
+ 
+>[!NOTE] 
+>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important. 
+ 
+### Windows Update log structure 
+The Windows update log structure is separated into four main identities: 
+
+- Time Stamps 
+- Process ID and Thread ID 
+- Component Name 
+- Update Identifiers    
+   - Update ID and Revision Number 
+   - Revision ID 
+   - Local ID 
+   - Inconsistent terminology 
+
+The WindowsUpdate.log structure is discussed in the following sections. 
+
+#### Time stamps  
+The time stamp indicates the time at which the logging occurs. 
+- Messages are usually in chronological order, but there may be exceptions. 
+- A pause during a sync can indicate a network problem, even if the scan succeeds. 
+- A long pause near the end of a scan can indicate a supersedence chain issue.   
+   ![Windows Update time stamps](images/update-time-log.png)
+
+
+#### Process ID and thread ID  
+The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log. 
+- The first four hex digits are the process ID. 
+- The next four hex digits are the thread ID. 
+- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID.   
+   ![Windows Update process and thread IDs](images/update-process-id.png)
+
+
+#### Component name  
+Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows: 
+
+- ProtocolTalker - Client-server sync 
+- DownloadManager - Creates and monitors payload downloads 
+- Handler, Setup - Installer handlers (CBS, etc.) 
+- EEHandler - Evaluating update applicability rules 
+- DataStore - Caching update data locally 
+- IdleTimer - Tracking active calls, stopping service 
+
+![Windows Update component name](images/update-component-name.png)
+
+
+#### Update identifiers  
+
+##### Update ID and revision number 
+There are different identifiers for the same update in different contexts. It’s important to know the identifier schemes. 
+- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time 
+- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service 
+- Revision numbers are reused from one update to another (not a unique identifier). 
+- The update ID and revision number are often shown together as "{GUID}.revision." 
+   ![Windows Update update identifiers](images/update-update-id.png)
+
+
+##### Revision ID 
+- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service. 
+- An existing update that’s revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. 
+- Revision IDs are unique on a given update source, but not across multiple sources. 
+- The same update revision may have completely different revision IDs on WU and WSUS. 
+- The same revision ID may represent different updates on WU and WSUS. 
+
+##### Local ID 
+- Local ID is a serial number issued when an update is received from a service by a given WU client 
+- Usually seen in debug logs, especially involving the local cache for update info (Datastore) 
+- Different client PCs will assign different Local IDs to the same update 
+- You can find the local IDs that a client is using by getting the client’s %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file 
+
+##### Inconsistent terminology 
+- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs. 
+- Recognize IDs by form and context: 
+    
+   - GUIDs are update IDs 
+   - Small integers that appear alongside an update ID are revision numbers 
+   - Large integers are typically revision IDs 
+   - Small integers (especially in Datastore) can be local IDs 
+      ![Windows Update inconsisten terminology](images/update-inconsistent.png)
+

windows/deployment/update/windows-update-overview.md

@@ -0,0 +1,54 @@
+---
+title: Get started with Windows Update 
+description: Learn how Windows Update works, including architecture and troubleshooting
+ms.prod: w10
+ms.mktglfcycl: 
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 09/18/2018
+---
+
+# Get started with Windows Update
+
+>Applies to: Windows 10
+
+With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates.  
+
+Ues the following information to get started with Windows Update:
+
+- Understand the UUP architecture
+- Understand [how Windows Update works](how-windows-update-works.md)
+- Find [Windows Update log files](windows-update-logs.md)
+- Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md)
+- Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md)
+- Review [other resources](windows-update-resources.md) to help you use Windows Update
+
+## Unified Update Platform (UUP) architecture 
+To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. 
+
+![Windows Update terminology](images/update-terminology.png)
+
+- **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. 
+- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update.  
+
+   Update types- 
+   - OS Feature updates 
+   - OS Security updates 
+   - Device drivers 
+   - Defender definition updates 
+
+   >[!NOTE]
+      > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update.
+      >
+      >Store apps aren't installed by USO, today they are separate. 
+
+- **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller.  
+- **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. 
+- **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. 
+ 
+Additional components include the following- 
+
+- **CompDB** – A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. 
+- **Action List** – The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages.  

windows/deployment/update/windows-update-resources.md

@@ -0,0 +1,123 @@
+---
+title: Windows Update - Additional resources 
+description: Additional resources for Windows Update
+ms.prod: w10
+ms.mktglfcycl: 
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 09/18/2018
+---
+
+# Windows Update - additional resources
+
+>Applies to: Windows 10
+
+The following resources provide additional information about using Windows Update.
+
+## WSUS Troubleshooting 
+ 
+[Troubleshooting issues with WSUS client agents](https://support.microsoft.com/help/10132/) 
+ 
+[How to troubleshoot WSUS](https://support.microsoft.com/help/4025764/) 
+ 
+[Error 80244007 when WSUS client scans for updates](https://support.microsoft.com/help/4096317/) 
+ 
+[Updates may not be installed with Fast Startup in Windows 10](https://support.microsoft.com/help/4011287/) 
+ 
+ 
+## How do I reset Windows Update components? 
+ 
+[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data.  
+
+ 
+[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allow reset the Windows Update Agent resolving issues with Windows Update. 
+ 
+ 
+## Reset Windows Update components manually 
+1. Open a Windows command prompt. To open a command prompt, click **Start > Run**. Copy and paste (or type) the following command and then press ENTER: 
+   ```
+   cmd
+   ```  
+2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.  
+   ```
+   net stop bits  
+   net stop wuauserv 
+   ```
+3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER:  
+   ```
+   Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" 
+   ```
+4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above.  
+   1. Rename the following folders to *.BAK:  
+      - %systemroot%\SoftwareDistribution\DataStore  
+      - %systemroot%\SoftwareDistribution\Download  
+      - %systemroot%\system32\catroot2 
+      
+      To do this, type the following commands at a command prompt. Press ENTER after you type each command.  
+      - Ren %systemroot%\SoftwareDistribution\DataStore *.bak  
+      - Ren %systemroot%\SoftwareDistribution\Download *.bak  
+      - Ren %systemroot%\system32\catroot2 *.bak 
+   2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.  
+      - sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)  
+      - sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) 
+5. Type the following command at a command prompt, and then press ENTER:  
+   ```
+   cd /d %windir%\system32 
+   ```
+6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command.  
+   - regsvr32.exe atl.dll  
+   - regsvr32.exe urlmon.dll  
+   - regsvr32.exe mshtml.dll  
+   - regsvr32.exe shdocvw.dll  
+   - regsvr32.exe browseui.dll  
+   - regsvr32.exe jscript.dll  
+   - regsvr32.exe vbscript.dll  
+   - regsvr32.exe scrrun.dll  
+   - regsvr32.exe msxml.dll  
+   - regsvr32.exe msxml3.dll  
+   - regsvr32.exe msxml6.dll  
+   - regsvr32.exe actxprxy.dll  
+   - regsvr32.exe softpub.dll  
+   - regsvr32.exe wintrust.dll  
+   - regsvr32.exe dssenh.dll  
+   - regsvr32.exe rsaenh.dll  
+   - regsvr32.exe gpkcsp.dll  
+   - regsvr32.exe sccbase.dll  
+   - regsvr32.exe slbcsp.dll  
+   - regsvr32.exe cryptdlg.dll  
+   - regsvr32.exe oleaut32.dll  
+   - regsvr32.exe ole32.dll  
+   - regsvr32.exe shell32.dll  
+   - regsvr32.exe initpki.dll  
+   - regsvr32.exe wuapi.dll  
+   - regsvr32.exe wuaueng.dll  
+   - regsvr32.exe wuaueng1.dll  
+   - regsvr32.exe wucltui.dll  
+   - regsvr32.exe wups.dll  
+   - regsvr32.exe wups2.dll  
+   - regsvr32.exe wuweb.dll  
+   - regsvr32.exe qmgr.dll  
+   - regsvr32.exe qmgrprxy.dll  
+   - regsvr32.exe wucltux.dll  
+   - regsvr32.exe muweb.dll  
+   - regsvr32.exe wuwebv.dll 
+7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER:  
+   ```
+   netsh reset winsock 
+   ```
+8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER:  
+   ```
+   proxycfg.exe -d 
+   ```
+9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.  
+   ```
+   net start bits  
+   
+   net start wuauserv 
+   ```
+10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER:
+   ```
+   bitsadmin.exe /reset /allusers
+   ```

windows/deployment/update/windows-update-sources.md

@@ -1,37 +0,0 @@
----
-title: Determine the source of Windows updates
-description: Determine the source that Windows Update service is currently using.
-ms.prod: w10
-ms.mktglfcycl: 
-ms.sitesec: library
-author: kaushika-msft
-ms.localizationpriority: medium
-ms.author: jaimeo
-ms.date: 04/05/2018
----
-
-# Determine the source of Windows updates
-
-Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: 
-
-1.  Start Windows PowerShell as an administrator
-2.  Run  `$MUSM = New-Object -ComObject   “Microsoft.Update.ServiceManager”`.
-3.  Run `$MUSM.Services`. Check the resulting output for the **Name** and **OffersWindowsUPdates** parameters, which you can intepret according to this table:
-
-| Output          | Interpretation |
-|-----------------------------------------------------|-----------------------------------|
-| - Name: **Microsoft Update**<br>-OffersWindowsUpdates: **True** | - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.<br>-  Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.)|
-|- Name: **DCat Flighting Prod** <br>-  OffersWindowsUpdates: **False**|- The update source is the Windows Insider Program.<br>- Indicates that the client will not receive or is not configured to receive these updates. |
-| - Name: **Windows Store (DCat Prod)**<br>- OffersWindowsUpdates: **False** |-The update source is Insider Updates for Store Apps.<br>- Indicates that the client will not receive or is not configured to receive these updates.| 
-|-  Name: **Windows Server Update Service**<br>-  OffersWindowsUpdates: **True**  |- The source is a Windows Server Updates Services server.<br>- The client is configured to receive updates from WSUS.|
-|- Name: **Windows Update**<br>- OffersWindowsUpdates: **True** |- The source is Windows Update.<br>- The client is configured to receive updates from Windows Update Online.|
-
-
-
-See also:
-
-[Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760)
-
-[You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer)
-
-[How to read the Windowsupdate.log file on Windows 7 and earlier OS versions](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file)

windows/deployment/update/windows-update-troubleshooting.md

@@ -0,0 +1,175 @@
+---
+title: Windows Update troubleshooting 
+description: Learn how to troubleshoot Windows Update
+ms.prod: w10
+ms.mktglfcycl: 
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 09/18/2018
+---
+
+# Windows Update troubleshooting
+
+>Applies to: Windows 10
+
+If you run into problems when using Windows Update, start with the following steps: 
+ 
+1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. 
+2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. 
+3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: 
+   
+   - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) 
+   - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) 
+   - [Windows 10, version 1703](https://support.microsoft.com/help/4018124)  
+   - [Windows 10 and Windows Server 2016](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history)  
+   - [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470/windows-8-1-windows-server-2012-r2-update-history)  
+   - [Windows Server 2012](https://support.microsoft.com/help/4009471/windows-server-2012-update-history)  
+   - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history)  
+ 
+Advanced users can also refer to the [log](windows-update-logs.md) generated by Windows Update for further investigation.  
+ 
+You might encounter the following scenarios when using Windows Update. 
+
+## Why am I offered an older update/upgrade?
+The update that is offered to a device depends on several factors. Some of the most common attributes include the following.  
+
+- OS Build 
+- OS Branch 
+- OS Locale 
+- OS Architecture 
+- Device update management configuration 
+
+If the update you're offered isn't th emost current available, it might be because your device is being managed by a WSUS server, and your'e being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day.  
+ 
+## My machine is frozen at scan. Why? 
+The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following:  
+1. Close the Settings app and reopen it.  
+2. Launch Services.msc and check if the following services are running:  
+   - Update State Orchestrator 
+   - Windows Update 
+ 
+## Issues related to HTTP/Proxy 
+Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. 
+ 
+To fix this issue, configure a proxy in WinHTTP by using the following netsh command: 
+
+``` 
+netsh winhttp set proxy ProxyServerName:PortNumber 
+```
+
+>[!NOTE]
+> You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie 
+ 
+If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run.  
+ 
+You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: 
+*.download.windowsupdate.com  
+*.au.windowsupdate.com 
+*.tlu.dl.delivery.mp.microsoft.com  
+
+If you cannot permit RANGE requests, you can configure a Group Policy or MDM Policy setting that will bypass Delivery Optimization and use BITS instead. 
+ 
+ 
+## The update is not applicable to your computer 
+The most common reasons for this error are described in the following table: 
+
+|Cause|Explanation|Resolution|
+|-----|-----------|----------| 
+|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. |
+|Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.| 
+|Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers. <br>Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. |
+|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424). <br>Note: To determine if these prerequisite updates are installed, run the following PowerShell command: <br>get-hotfix KB3173424,KB2919355,KB2919442 <br>If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output. 
+
+## Issues related to firewall configuration 
+Error that may be seen in the WU logs:  
+```
+DownloadManager    Error 0x800706d9 occurred while downloading update; notifying dependent calls. 
+```
+Or 
+``` 
+[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 <NULL>, error = 0x800706D9 
+``` 
+Or 
+``` 
+DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 <NULL>, error = 0x80D0000A 
+``` 
+ 
+Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information , see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337\(v=ws.10\)) or [Windows Update stuck at 0 percent on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4039473/windows-update-stuck-at-0-percent-on-windows-10-and-windows-server-201).
+ 
+## Issues arising from configuration of conflicting policies 
+Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. 
+ 
+See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information.
+ 
+ 
+## Updates aren't downloading from the intranet endpoint (WSUS/SCCM) 
+Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:  
+1. Start Windows PowerShell as an administrator 
+2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". 
+3. Run \$MUSM.Services.  
+ 
+Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table. 
+
+|Output|Interpretation| 
+|-|-|
+|- Name: Microsoft Update <br>-OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.<br>- Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) |
+|- Name: DCat Flighting Prod <br>- OffersWindowsUpdates: False|- The update source is the Windows Insider Program.<br>- Indicates that the client will not receive or is not configured to receive these updates. |
+|- Name: Windows Store (DCat Prod) <br>- OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps.<br>- Indicates that the client will not receive or is not configured to receive these updates.| 
+|- Name: Windows Server Update Service <br>- OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server. <br>- The client is configured to receive updates from WSUS. |
+|- Name: Windows Update<br>- OffersWindowsUpdates: True|- The source is Windows Update. <br>- The client is configured to receive updates from Windows Update Online.| 
+ 
+## You have a bad setup in the environment 
+If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: 
+
+``` 
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] 
+"UseWUServer"=dword:00000001                                        ===================================> it says use WSUS server.  
+```
+
+From the WU logs: 
+```
+2018-08-06 09:33:31:085  480 1118 Agent ** START **  Agent: Finding updates [CallerId = OperationalInsight  Id = 49] 
+2018-08-06 09:33:31:085  480 1118 Agent ********* 
+2018-08-06 09:33:31:085  480 1118 Agent   * Include potentially superseded updates 
+2018-08-06 09:33:31:085  480 1118 Agent   * Online = No; Ignore download priority = No 
+2018-08-06 09:33:31:085  480 1118 Agent   * Criteria = "IsHidden = 0 AND DeploymentAction=*" 
+2018-08-06 09:33:31:085  480 1118 Agent   * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service 
+2018-08-06 09:33:31:085  480 1118 Agent   * Search Scope = {Machine} 
+2018-08-06 09:33:32:554  480 1118 Agent   * Found 83 updates and 83 categories in search; evaluated appl. rules of 517 out of 1473 deployed entities 
+2018-08-06 09:33:32:554  480 1118 Agent ********* 
+2018-08-06 09:33:32:554  480 1118 Agent **  END  **  Agent: Finding updates [CallerId = OperationalInsight  Id = 49] 
+```
+
+In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. 
+
+Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here.  
+
+```
+2018-08-06 10:58:45:992  480 5d8 Agent ** START **  Agent: Finding updates [CallerId = AutomaticUpdates  Id = 57] 
+2018-08-06 10:58:45:992  480 5d8 Agent ********* 
+2018-08-06 10:58:45:992  480 5d8 Agent   * Online = Yes; Ignore download priority = No 
+2018-08-06 10:58:45:992  480 5d8 Agent   * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1" 
+   
+2018-08-06 10:58:46:617  480 5d8 PT   + SyncUpdates round trips: 2 
+2018-08-06 10:58:47:383  480 5d8 Agent   * Found 0 updates and 83 categories in search; evaluated appl. rules of 617 out of 1473 deployed entities 
+2018-08-06 10:58:47:383  480 5d8 Agent Reporting status event with 0 installable, 83 installed,  0 installed pending, 0 failed and 0 downloaded updates 
+2018-08-06 10:58:47:383  480 5d8 Agent ********* 
+2018-08-06 10:58:47:383  480 5d8 Agent **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates  Id = 57] 
+```
+
+## High bandwidth usage on Windows 10 by Windows Update 
+Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components. 
+
+The following group policies can help mitigate this: 
+ 
+[Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) 
+[Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) 
+[Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) 
+ 
+Other components that reach out to the internet:
+
+- Windows Spotlight. [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) 
+- [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) 
+- Modern App- Windows Update installation fails. [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) 

windows/security/identity-protection/user-account-control/how-user-account-control-works.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: operate
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 09/19/2018
 ---
 
 # How User Account Control works
@@ -156,36 +156,40 @@ To better understand each component, review the table below:
 <p>Check UAC slider level</p>
 </td>
 <td>
-<p>UAC has four levels of notification to choose from and a slider to use to select the notification level:</p>
+<p>UAC has a slider to select from four levels of notification.</p>
 <ul>
-<li>
-<p>High</p>
-<p>If the slider is set to <b>Always notify</b>, the system checks whether the secure desktop is enabled.</p>
-</li>
-<li>
-<p>Medium</p>
-<p>If the slider is set to <b>Notify me only when programs try to make changes to my computer</b>, the <b>User Account Control: Only elevate executable files that are signed and validated</b> policy setting is checked:</p>
+<li><p><b>Always notify</b> will:</p>
 <ul>
-<li>
-<p>If the policy setting is enabled, the public key infrastructure (PKI) certification path validation is enforced for a given file before it is permitted to run.</p>
-</li>
-<li>
-<p>If the policy setting is not enabled (default), the PKI certification path validation is not enforced before a given file is permitted to run. The <b>User Account Control: Switch to the secure desktop when prompting for elevation</b> Group Policy setting is checked.</p>
-</li>
+<li>Notify you when programs try to install software or make changes to your computer.</li>
+<li>Notify you when you make changes to Windows settings.</li>
+<li>Freeze other tasks until you respond.</li>
 </ul>
+<p>Recommended if you often install new software or visit unfamiliar websites.</p><br>
 </li>
-<li>
-<p>Low</p>
-<p>If the slider is set to <b>Notify me only when apps try to make changes to my computer (do not dim by desktop)</b>, the CreateProcess is called.</p>
-</li>
-<li>
-<p>Never Notify</p>
-<p>If the slider is set to <b>Never notify me when</b>, UAC prompt will never notify when an app is trying to install or trying to make any change on the computer.</p>
-<div class="alert"><b>Important</b>  <p class="note">This setting is not recommended. This setting is the same as setting the <b>User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode</b> policy setting to <b>Elevate without prompting</b>.</p>
-</div>
-<div> </div>
-</li>
+<li><p><b>Notify me only when programs try to make changes to my computer</b> will:</p>
+<ul>
+<li>Notify you when programs try to install software or make changes to your computer.</li>
+<li>Not notify you when you make changes to Windows settings.</li>
+<li>Freeze other tasks until you respond.</li>
 </ul>
+<p>Recommended if you do not often install apps or visit unfamiliar websites.</p><br>
+</li>
+<li><p><b>Notify me only when programs try to make changes to my computer (do not dim my desktop)</b> will:</p>
+<ul>
+<li>Notify you when programs try to install software or make changes to your computer.</li>
+<li>Not notify you when you make changes to Windows settings.</li>
+<li>Not freeze other tasks until you respond.</li>
+</ul>
+<p>Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.</p><br>
+</li>
+<li><p><b>Never notify (Disable UAC)</b> will:</p>
+<ul>
+<li>Not notify you when programs try to install software or make changes to your computer.</li>
+<li>Not notify you when you make changes to Windows settings.</li>
+<li>Not freeze other tasks until you respond.</li>
+</ul>
+<p>Not recommended due to security concerns.</p>
+</li></ul>
 </td>
 </tr>
 <tr>

windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md

@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: aadake
-ms.date: 09/06/2018
+ms.date: 09/19/2018
 ---
 
 # Kernel DMA Protection for Thunderbolt™ 3 
@@ -19,6 +19,8 @@ Drive-by DMA attacks can lead to disclosure of sensitive information residing on
 
 This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
 
+For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to Intel documentation.
+
 ## Background
 
 PCI devices are DMA-capable, which allows them to read and write to system memory at will, without having to engage the system processor in these operations. 

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md

@@ -8,7 +8,7 @@ ms.pagetype: security
 author: justinha
 ms.author: justinha
 ms.localizationpriority: medium
-ms.date: 08/08/2018
+ms.date: 09/19/2018
 ---
 
 # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@@ -32,11 +32,11 @@ Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on
 Follow these steps to add a WIP policy using Intune.
 
 **To add a WIP policy**
-1.  Open Microsoft Intune and click **Mobile apps**.
+1.  Open Microsoft Intune and click **Client apps**.
 
-    ![Open Mobile apps](images/open-mobile-apps.png)
+    ![Open Client apps](images/open-mobile-apps.png)
 
-2. In **Mobile apps**, click **App protection policies**.
+2. In **Client apps**, click **App protection policies**.
 
     ![App protection policies](images/app-protection-policies.png)
 

windows/security/threat-protection/TOC.md

@@ -30,7 +30,7 @@
  
 ##### Machines list
 ###### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md)
-###### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+###### [Manage machine group and tags](windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md)
 ###### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
 ###### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
 ####### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
@@ -138,7 +138,7 @@
 ####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
 
  
-##### [Managed service provider provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md)
+##### [Managed security service provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md)
 
 #### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)
 #####  [Protect users, data, and devices with conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md)
@@ -372,6 +372,7 @@
 #### [Malware names](intelligence/malware-naming.md)
 #### [Coin miners](intelligence/coinminer-malware.md)
 #### [Exploits and exploit kits](intelligence/exploits-malware.md)
+#### [Fileless threats](intelligence/fileless-threats.md)
 #### [Macro malware](intelligence/macro-malware.md)
 #### [Phishing](intelligence/phishing.md)
 #### [Ransomware](intelligence/ransomware-malware.md)

windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md

@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/advanced-security-auditing-faq.md

@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/advanced-security-auditing.md

@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md

@@ -5,7 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md

@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 07/25/2018
 ---

windows/security/threat-protection/auditing/audit-account-lockout.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 07/16/2018
 ---

windows/security/threat-protection/auditing/audit-application-generated.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-application-group-management.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-audit-policy-change.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-authentication-policy-change.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-authorization-policy-change.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-central-access-policy-staging.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-certification-services.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-computer-account-management.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-credential-validation.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-detailed-file-share.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-directory-service-access.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-directory-service-changes.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-directory-service-replication.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-distribution-group-management.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-dpapi-activity.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-file-share.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-file-system.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-filtering-platform-connection.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-group-membership.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-handle-manipulation.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-ipsec-driver.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-ipsec-main-mode.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-kernel-object.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-logoff.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 07/16/2018
 ---

windows/security/threat-protection/auditing/audit-logon.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-network-policy-server.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-other-account-logon-events.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-other-account-management-events.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---

windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md

@@ -6,7 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---