Merge remote-tracking branch 'refs/remotes/origin/master' into vs-11092095

browsers/edge/available-policies.md

@@ -16,6 +16,9 @@ localizationpriority: high
 - Windows 10, Windows Insider Program 
 - Windows 10 Mobile, Windows Insider Program
 
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
 
 By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain.

education/windows/index.md

@@ -63,7 +63,12 @@ author: CelesteDG
 
  <div class="side-by-side"> <div class="side-by-side-content">
  <div class="side-by-side-content-left"><p><b>[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)</b><br />If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.</p></div>
+<<<<<<< HEAD
+ <div class="side-by-side-content-right">
+ <p></p>
+=======
  <div class="side-by-side-content-right"><p></p>
+>>>>>>> e04a8c5905ed4bcb1df7b6b60d48146df9095a12
  </div>
  </div>
 

smb/TOC.md

@@ -1 +1,2 @@
-# [SMB](index.md)
+# [Windows 10 for SMB](index.md)
+## [Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md)

smb/cloud-mode-business-setup.md

@@ -0,0 +1,580 @@
+---
+title: Deploy and manage a full cloud IT solution for your business
+description: Learn how to set up a cloud infrastructure for your business, acquire devices and apps, and configure and deploy policies to your devices.
+keywords: smb, full cloud IT solution, small to medium business, deploy, setup, manage, Windows, Intune, Office 365
+ms.prod: w10
+ms.technology: smb-windows
+ms.topic: hero-article
+ms.author: celested
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.lang: EN 
+ms.loc: US 
+ms.pagetype: smb
+author: CelesteDG
+---
+
+![Are you ready to move to the cloud?](images/business-cloud-mode.png)
+
+# Get started: Deploy and manage a full cloud IT solution for your business
+**Applies to:**
+
+-   Office 365 Business Premium, Azure AD Premium, Intune, Windows Store for Business, Windows 10
+
+In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Office 365 Business Premium, Microsoft Azure AD, Intune, Windows Store for Business, and Windows 10. We'll show you the basics on how to:
+- Acquire an Office 365 business domain
+- Add Microsoft Intune and Azure Active Directory (AD) Premium licenses to your business tenant
+- Set up Windows Store for Business and manage app deployment and sync with Intune
+- Add users and groups in Azure AD and Intune
+- Create policies and app deployment rules
+- Log in as a user and start using your Windows device
+
+Go to the <a href="http://business.microsoft.com" target="_blank">Microsoft Business site</a> and select **Products** to learn more about pricing and purchasing options for your business.
+
+## Prerequisites
+Here's a few things to keep in mind before you get started:
+- You'll need a registered domain to successfully go through the walkthrough.
+  - If you already own a domain, you can add this during the Office 365 setup.
+  - If you don't already own a domain, you'll have the option to purchase a domain from the Office 365 admin center. We'll show how to do this as part of the walkthrough.
+- You'll need an email address to create your Office 365 tenant.
+- We recommend that you use Internet Explorer for the entire walkthrough. Right click on Internet Explorer and then choose **Start InPrivate Browsing**.
+
+## 1. Set up your cloud infrastructure
+To set up a cloud infrastructure for your organization, follow the steps in this section.
+
+### 1.1 Set up Office 365 for business
+See <a href="https://support.office.com/en-us/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a> to learn more about the setup steps for businesses and nonprofits who have Office 365. You can watch video and learn how to:
+- Plan your setup
+- Create Office 365 accounts and how to add your domain.
+- Install Office
+
+To set up your Office 365 business tenant, see <a href="https://support.office.com/en-us/article/Get-started-with-Office-365-for-Business-d6466f0d-5d13-464a-adcb-00906ae87029" target="_blank">Get Started with Office 365 for business</a>.
+
+If this is the first time you're setting this up, and you'd like to see how it's done, you can follow these steps to get started:
+
+1. Go to the <a href="https://business.microsoft.com/en-us/products/office-365" target="_blank">Office 365</a> page in the <a href="http://business.microsoft.com" target="_blank">Microsoft Business site</a>. Select **Try now** to use the Office 365 Business Premium Trial or select **Buy now** to sign up for Office 365 Business Premium. In this walkthrough, we'll select **Try now**.
+
+  **Figure 1** - Try or buy Office 365
+
+  ![Office 365 for business sign up](images/office365_tryorbuy_now.png)
+
+2. Fill out the sign up form and provide information about you and your company.
+3. Create a user ID and password to use to sign into your account.
+
+  This step creates an onmicrosoft.com email address. You can use this email address to sign in to the various admin centers. Save your sign-in info so you can use it to sign into <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the admin portal).
+
+4. Select **Create my account** and then enter the phone number you used in step 2 to verify your identity. You'll be asked to enter your verification code.
+5. Select **You're ready to go...** which will take you to the Office 365 portal.
+
+  > [!NOTE]  
+  > In the Office 365 portal, icons that are greyed out are still installing.
+
+  **Figure 2** - Office 365 portal
+
+  ![Office 365 portal](images/office365_portal.png)
+
+
+6. Select the **Admin** tile to go to the Office 365 admin center.
+7. In the admin center, click **Next** to see the highlights and welcome info for the admin center. When you're done, click **Go to setup** to complete the Office 365 setup.
+
+  This may take up to a half hour to complete.
+  
+  **Figure 3** - Office 365 admin center
+
+  ![Office 365 admin center](images/office365_admin_portal.png)
+
+
+8. Go back to the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">Office 365 admin center</a> to add or buy a domain.
+  1. Select the **Domains** option.
+
+    **Figure 4** - Option to add or buy a domain
+
+    ![Add or buy a domain in Office 365 admin center](images/office365_buy_domain.png)
+    
+
+  2.  In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*.
+
+    **Figure 5** - Microsoft-provided domain
+
+    ![Microsoft-provided domain](images/office365_ms_provided_domain.png)
+
+    - If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain.
+    - If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order.
+
+    Once you've added your domain, you'll see it listed in addition to the Microsoft-provided onmicrosoft.com domain.
+
+    **Figure 6** - Domains
+
+    ![Verify your domains in Office 365 admin center](images/office365_additional_domain.png)
+
+### 1.2 Add users and assign product licenses
+Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Office 365 admin center.
+
+When adding users, you can also assign admin privileges to certain users in your team. You'll also want to assign **Product licenses** to each user so that subscriptions can be assigned to the person.
+
+**To add users and assign product licenses**
+
+1. In the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">Office 365 admin center</a>, select **Users > Active users**.
+
+  **Figure 7** - Add users
+
+  ![Add Office 365 users](images/office365_users.png)
+
+2. In the **Home > Active users** page, add users individually or in bulk.
+  - To add users one at a time, select **+ Add a user**.
+
+    If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see *Add a user account in the Office 365 admin center* in <a href="https://support.office.com/en-us/article/Add-users-individually-or-in-bulk-to-Office-365-Admin-Help-1970f7d6-03b5-442f-b385-5880b9c256ec" target="_blank">Add users individually or in bulk to Office 365 - Admin Help</a>.
+
+    **Figure 8** - Add an individual user
+
+    ![Add an individual user](images/office365_add_individual_user.png)
+
+  - To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users.
+
+    The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see <a href="https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88" target="_blank">Add several users at the same time to Office 365 - Admin Help</a>. Once you've added all the users, don't forget to assign **Product licenses** to the new users.
+
+    **Figure 9** - Import multiple users
+
+    ![Import multiple users](images/office365_import_multiple_users.png)
+
+3. Verify that all the users you added appear in the list of **Active users**. The **Status** should indicate the product licenses that were assigned to them.
+
+  **Figure 10** - List of active users
+
+  ![Verify users and assigned product licenses](images/o365_active_users.png)
+
+### 1.3 Add Microsoft Intune
+Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see <a href="https://docs.microsoft.com/en-us/intune/understand-explore/introduction-to-microsoft-intune" target="_blank">What is Intune?</a>
+
+**To add Microsoft Intune to your tenant**
+
+1. In the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">Office 365 admin center</a>, select **Billing > Purchase services**.
+2. In the **Home > Purchase services** screen, search for **Microsoft Intune**. Hover over **Microsoft Intune** to see the options to start a free 30-day trial or to buy now.
+3. Confirm your order to enable access to Microsoft Intune.
+4. In the admin center, the Intune licenses will show as available and ready to be assigned to users. Select **Users > Active users** and then edit the product licenses assigned to the users to turn on **Intune A Direct**.
+
+  **Figure 11** - Assign Intune licenses
+
+  ![Assign Microsoft Intune licenses to users](images/o365_assign_intune_license.png)
+
+5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again.
+6. Select **Intune**. This will take you to the Intune management portal.
+
+  **Figure 12** - Microsoft Intune management portal
+
+  ![Microsoft Intune management portal](images/intune_portal_home.png)
+
+Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Windows Store for Business for app distribution](#17-configure-windows-store-for-business-for-app-distribution).
+
+### 1.4 Add Azure AD to your domain
+Microsoft Azure is an open and flexible cloud platform that enables you to quickly build, deploy, and manage apps across a global network of Microsoft-managed datacenters. In this walkthrough, we won't be using the full power of Azure and we'll primarily use it to create groups that we then use for provisioning through Intune. 
+
+**To add Azure AD to your domain**
+
+1. In the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">Office 365 admin center</a>, select **Admin centers > Azure AD**.
+
+  > [!NOTE]
+  > You will need Azure AD Premium to configure automatic MDM enrollment with Intune.
+
+2. If you have not signed up for Azure AD before, you will see the following message. To proceed with the rest of the walkthrough, you need to activate an Azure subscription.
+
+  **Figure 13** - Access to Azure AD is not available
+
+  ![Access to Azure AD not available](images/azure_ad_access_not_available.png)
+
+3. From the error message, select the country/region for your business. This should match with the location you specified when you signed up for Office 365.
+4. Click **Azure subscription**. This will take you to a free trial sign up screen.
+
+  **Figure 14** - Sign up for Microsoft Azure
+
+  ![Sign up for Microsoft Azure](images/azure_ad_sign_up_screen.png)
+
+5. In the **Free trial sign up** screen, fill in the required information and then click **Sign up**.
+6. After you sign up, you should see the message that your subscription is ready. Click **Start managing my service**.
+
+  **Figure 15** - Start managing your Azure subscription
+
+  ![Start managing your Azure subscription](images/azure_ad_successful_signup.png)
+
+  This will take you to the <a href="https://portal.azure.com" target="_blank">Microsoft Azure portal</a>.
+
+### 1.5 Add groups in Azure AD
+This section is the walkthrough is optional. However, we recommend that you create groups in Azure AD to manage access to corporate resources, such as apps, policies and settings, and so on. For more information, see <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-manage-groups" target="_blank">Managing access to resources with Azure Active Directory groups</a>.
+
+To add Azure AD group(s), we will use the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal (https://manage.windowsazure.com)</a>. See <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-manage-groups" target="_blank">Managing groups in Azure Active Directory</a> for more information about managing groups.
+
+**To add groups in Azure AD**
+
+1. If this is the first time you're setting up your directory, when you navigate to the **Azure Active Directory** node in the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal</a>, you will see a screen informing you that your directory is ready for use.
+
+  Afterwards, you should see a list of active directories. In the following example, **Fabrikam Design** is the active directory.
+
+  **Figure 16** - Azure first sign-in screen
+
+  ![Select Azure AD](images/azure_portal_classic_configure_directory.png)
+
+2. Select the directory (such as Fabrikam Design) to go to the directory's home page.
+
+  **Figure 17** - Directory home page
+
+  ![Directory home page](images/azure_portal_classic_directory_ready.png)
+
+3. From the menu options on top, select **Groups**.
+
+  **Figure 18** - Azure AD groups
+
+  ![Add groups in Azure AD](images/azure_portal_classic_groups.png)
+
+4. Select **Add a group** (from the top) or **Add group** at the bottom.
+5. In the **Add Group** window, add a name, group type, and description for the group and click the checkmark to save your changes. The new group will appear on the groups list.
+
+  **Figure 19** - Newly added group in Azure AD
+
+  ![Verify the new group appears on the list](images/azure_portal_classic_all_users_group.png)
+
+6. In the **Groups** tab, select the arrow next to the group (such as **All users**), add members to the group, and then save your changes.
+
+  The members that were added to the group will appear on the list.
+
+  **Figure 20** - Members in the new group
+
+  ![Members added to the new group](images/azure_portal_classic_members_added.png)
+
+7. Repeat steps 2-6 to add other groups. You can add groups based on their roles in your company, based on the apps that each group can use, and so on.
+
+### 1.6 Configure automatic MDM enrollment with Intune
+Now that you have Azure AD Premium and have it properly configured, you can configure automatic MDM enrollment with Intune, which allows users to enroll their Windows devices into Intune management, join their devices directly to Azure AD, and get access to Office 365 resources after sign in.
+
+You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/" target="_blank">this blog post</a> to learn how you can combine login, Azure AD Join, and Intune MDM enrollment into an easy step so that you can bring your devices into a managed state that complies with the policies for your organization. We will use this blog post as our guide for this part of the walkthrough.
+
+> [!IMPORTANT]  
+> We will use the classic Azure portal instead of the new portal to configure automatic MDM enrollment with Intune.
+
+**To enable automatic MDM enrollment**
+
+1. In to the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal</a>, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options. 
+
+  The list of applications for your company will appear. **Microsoft Intune** will be one of the applications on the list.
+
+  **Figure 21** - List of applications for your company
+
+  ![List of applications for your company](images/azure_portal_classic_applications.png)
+
+2. Select **Microsoft Intune** to configure the application.
+3. In the Microsoft Intune configuration page, click **Configure** to start automatic MDM enrollment configuration with Intune.
+
+  **Figure 22** - Configure Microsoft Intune in Azure
+
+  ![Configure Microsoft Intune in Azure](images/azure_portal_classic_configure_intune_app.png)
+
+4. In the Microsoft Intune configuration page:
+  - In the **Properties** section, you should see a list of URLs for MDM discovery, MDM terms of use, and MDM compliance.
+
+    > [!NOTE]  
+    > The URLs are automatically configured for your Azure AD tenant so you don't need to change them.
+
+  - In the **Manage devices for these users** section, you can specify which users' devices should be managed by Intune.
+    - **All** will enable all users' Windows 10 devices to be managed by Intune.
+    - **Groups** let you select whether only users that belong to a specific group will have their devices managed by Intune.
+
+    > [!NOTE]  
+    > In this step, choose the group that contains all the users in your organization as members. This is the **All** group.
+
+5. After you've chosen how to manage devices for users, select **Save** to enable automatic MDM enrollment with Intune.
+
+  **Figure 23** - Configure Microsoft Intune
+
+  ![Configure automatic MDM enrollment with Intune](images/azure_portal_classic_configure_intune_mdm_enrollment.png)
+
+### 1.7 Configure Windows Store for Business for app distribution
+Next, you'll need to configure Windows Store for Business to distribute apps with a management tool such as Intune.
+
+In this part of the walkthrough, we'll be working on the <a href="https://manage.microsoft.com/" target="_blank">Microsoft Intune management portal</a> and <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Windows Store for Business</a>.
+
+**To associate your Store account with Intune and configure synchronization**
+
+1. From the <a href="https://manage.microsoft.com/" target="_blank">Microsoft Intune management portal</a>, select **Admin**.
+2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first tiem you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**.
+
+  **Figure 24** - Mobile device management
+
+  ![Set up mobile device management in Intune](images/intune_admin_mdm_configure.png)
+
+3. Sign into <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Windows Store for Business</a> using the same tenant account that you used to sign into Intune.
+4. Accept the EULA.
+5. In the Store portal, select **Settings > Management tools** to go to the management tools page.
+6. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune ready to use with Windows Store for Business.
+
+  **Figure 25** - Activate Intune as the Store management tool
+
+  ![Activate Intune from the Store portal](images/wsfb_management_tools_activate.png)
+
+7. Go back to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**.
+8. In the **Windows Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune.
+
+  **Figure 26** - Configure Store for Business sync in Intune
+
+  ![Configure Store for Business sync in Intune](images/intune_admin_mdm_store_sync.png)
+
+9. In the **Configure Windows Store for Business app sync** dialog box, check **Enable Windows Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**.
+
+  **Figure 27** - Enable Windows Store for Business sync in Intune
+
+  ![Enable Store for Business sync in Intune](images/intune_configure_store_app_sync_dialog.png)
+
+  The **Windows Store for Business** page will refresh and it will show the details from the sync.
+
+**To buy apps from the Store**
+
+In your <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Windows Store for Business</a> portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
+- Sway
+- OneNote
+- PowerPoint Mobile
+- Excel Mobile
+- Word Mobile
+
+In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Apps > Apps > Volume-Purchased Apps** and verify that you can see the same list of apps appear on Intune.
+
+In the following example, we'll show you how to buy apps through the Windows Store for Business and then make sure the apps appear on Intune.
+
+**Example 1 - Add other apps like Reader and InstaNote**
+
+1. In the <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Windows Store for Business</a> portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
+
+  **Figure 28** - Shop for Store apps
+
+  ![Shop for Store apps](images/wsfb_shop_microsoft_apps.png)
+
+2. Click to select an app, such as **Reader**. This opens the app page.
+3. In the app's Store page, click **Get the app**. You should see a dialog that confirms your order. Click **Close**. This will refresh the app's Store page.
+4. In the app's Store page, click **Add to private store**.
+5. Next, search for another app by name (such as **InstaNote**) or repeat steps 1-4 for the **InstaNote** app.
+6. Go to **Manage > Inventory** and verify that the apps you purchased appear in your inventory.
+
+  **Figure 29** - App inventory shows the purchased apps
+
+  ![Confirm that your inventory shows purchased apps](images/wsfb_manage_inventory_newapps.png)
+
+  > [!NOTE]
+  > Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync).
+
+**<a name="forceappsync"></a>To sync recently purchased apps**
+
+If you need to sync your most recently purchased apps and have it appear in your catalog, you can do this by forcing a sync.
+
+1. In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Admin > Mobile Device Management > Windows > Store for Business**.
+2. In the **Windows Store for Business** page, click **Sync now** to force a sync.
+
+  **Figure 30** - Force a sync in Intune
+
+  ![Force a sync in Intune](images/intune_admin_mdm_forcesync.png)
+
+**To view purchased apps**
+- In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly.
+
+**To add more apps**
+- If you have other apps that you want to deploy or manage, you must add it to Microsoft Intune. To deploy Win32 apps and Web links, see <a href="https://docs.microsoft.com/en-us/intune/deploy-use/add-apps-for-mobile-devices-in-microsoft-intune" target="_blank">Add apps for enrolled devices to Intune</a> for more info on how to do this.
+
+## 2. Set up devices
+
+### 2.1 Set up new devices
+To set up new Windows devices, go through the Windows initial device setup or first-run experience to configure your device.
+
+**<a name="usewindowsoobe"></a>To set up a device**
+1. Go through the Windows device setup experience. On a new or reset device, this starts with the **Hi there** screen on devices running Windows 10, version 1607 (Anniversary Update). The setup lets you:
+  - Fill in the details in the **Hi there** screen including your home country/region, preferred language, keyboard layout, and timezone
+  - Accept the EULA
+  - Customize the setup or use Express settings
+
+  **Figure 31** - First screen in Windows device setup
+
+  ![First screen in Windows device setup](images/win10_hithere.png)
+
+  > [!NOTE]  
+  > During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection.
+
+2. In the **Who owns this PC?** screen, select **My work or school owns it** and click **Next**.
+3. In the **Choose how you'll connect** screen, select **Join Azure Active Directory** and click **Next**.
+
+  **Figure 32** - Choose how you'll connect your Windows device
+
+  ![Choose how you'll connect the Windows device](images/win10_choosehowtoconnect.png)
+
+4. In the **Let's get you signed in** screen, sign in using one of the user accounts you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts.
+
+  **Figure 33** - Sign in using one of the accounts you added
+
+  ![Sign in using one of the accounts you added](images/win10_signin_admin_account.png)
+
+5. If this is the first time you're signing in, you will be asked to update your password. Update the password and continue with sign-in and setup.
+
+  Windows will continue with setup and you may be asked to set up a PIN for Windows Hello if your organization has it enabled.
+
+### 2.2 Verify correct device setup
+Verify that the device is set up correctly and boots without any issues.
+
+**To verify that the device was set up correctly**
+1. Click on the **Start** menu and select some of the options to make sure everything launches properly.
+2. Confirm that the Store and built-in apps are working.
+
+### 2.3 Verify the device is Azure AD joined
+In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, verify that the device is joined to Azure AD and shows up as being managed in Microsoft Intune.
+
+**To verify if the device is joined to Azure AD**
+1. Check the device name on your PC. To do this, on your Windows PC, select **Settings > System > About** and then check **PC name**.
+
+  **Figure 34** - Check the PC name on your device
+
+  ![Check the PC name on your device](images/win10_settings_pcname.png)
+  
+2. Log in to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>.
+3. Select **Groups** and then go to **Devices**.
+4. In the **All Devices** page, look at the list of devices and select the entry that matches the name of your PC. 
+  - Check that the device name appears in the list. Select the device and it will also show the user that's currently logged in in the **General Information** section.
+  - Check the **Management Channel** column and confirm that it says **Managed by Microsoft Intune**.
+  - Check the **AAD Registered** column and confirm that it says **Yes**.
+
+  **Figure 35** - Check that the device appears in Intune
+
+  ![Check that the device appears in Intune](images/intune_groups_devices_list.png)
+
+## 3. Manage device settings and features
+You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies).
+
+In this section, we'll show you how to reconfigure app deployment settings and add a new policy that will disable the camera for the Intune-managed devices and turn off Windows Hello and PINs during setup.
+
+### 3.1 Reconfigure app deployment settings
+In some cases, if an app is missing from the device, you need to reconfigure the deployment settings for the app and set the app to require installation as soon as possible.
+
+**To reconfigure app deployment settings**
+1. In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Apps** and go to **Apps > Volume-Purchased Apps**.
+2. Select the app, right-click, then select **Manage Deployment...**.
+3. Select the group(s) whose apps will be managed, and then click **Add** to add the group.
+4. Click **Next** at the bottom of the app deployment settings window or select **Deployment Action** on the left column to check the deployment settings for the app.
+5. For each group that you selected, set **Approval** to **Required Install**. This automatically sets **Deadline** to **As soon as possible**. If **Deadline** is not automatically set, set it to **As soon as possible**.
+
+  **Figure 36** - Reconfigure an app's deployment setting in Intune
+
+  ![Reconfigure app deployment settings in Intune](images/intune_apps_deploymentaction.png)
+
+6. Click **Finish**.
+7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible.
+6. Verify that the app shows up on the device. To do this:
+  - Make sure you're logged in to the Windows device.
+  - Click the **Start** button and check the apps that appear in the **Recently added** section. If you don't see the apps that you deployed in Intune, give it a few minutes. Only apps that aren't already deployed on the device will appear in the **Recently added** section.
+
+    **Figure 37** - Confirm that additional apps were deployed to the device
+
+    ![Confirm that additiional apps were deployed to the device](images/win10_deploy_apps_immediately.png)
+
+### 3.2 Configure other settings in Intune
+
+**To disable the camera**
+1. In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Policy > Configuration Policies**.
+2. In the **Policies** window, click **Add** to create a new policy.
+3. On the **Create a New Policy** page, click **Windows** to expand the group, select **General Configuration (Windows 10 Desktop and Mobile and later)**, choose **Create and Deploy a Custom Policy**, and then click **Create Policy**.
+4. On the **Create Policy** page, select **Device Capabilities**.
+5. In the **General** section, add a name and description for this policy. For example:
+  - **Name**: Test Policy - Disable Camera
+  - **Description**: Disables the camera
+6. Scroll down to the **Hardware** section, find **Allow camera is not configured**, toggle the button so that it changes to **Allow camera** and choose **No** from the dropdown list.
+
+  **Figure 38** - Add a configuration policy
+
+  ![Add a configuration policy](images/intune_policy_disablecamera.png)
+
+7. Click **Save Policy**. A confirmation window will pop up.
+8. On the **Deploy Policy** confirmation window, select **Yes** to deploy the policy now.
+9. On the **Management Deployment** window, select the user group(s) or device group(s) that you want to apply the policy to (for example, **All Users**), and then click **Add**. 
+10. Click **OK** to close the window. 
+
+  **Figure 39** - The new policy should appear in the **Policies** list.
+
+  ![New policy appears on the list](images/intune_policies_newpolicy_deployed.png)
+
+**To turn off Windows Hello and PINs during device setup**
+1. In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Admin**.
+2. Go to **Mobile Device Management > Windows > Windows Hello for Business**.
+3. In the **Windows Hello for Business** page, select **Disable Windows Hello for Business on enrolled devices**.
+
+  **Figure 40** - Policy to disable Windows Hello for Business
+
+  ![Disable Windows Hello for Business](images/intune_policy_disable_windowshello.png)
+
+4. Click **Save**.
+
+  > [!NOTE]
+  > This policy is a tenant-wide Intune setting. It disables Windows Hello and required PINs during setup for all enrolled devices in a tenant.
+
+To test whether these policies get successfully deployed to your tenant, go through [4. Add more devices and users](#4-add-more-devices-and-users) and setup another Windows device and login as one of the users. 
+
+## 4. Add more devices and users
+After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more devices or users and you want the same policies to apply to these new devices and users. In this section, we'll show you how to do this.
+
+### 4.1 Connect other devices to your cloud infrastructure
+Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [2. Set up devices](#2-set-up-devices). 
+
+For other devices, such as those personally-owned by employees who need to connect to the corporate network to access corporate resources (BYOD), you can follow the steps in this section to get these devices connected.
+
+  > [!NOTE]
+  > These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device.
+
+**To connect a personal device to your work or school**
+1. On your Windows device, go to **Settings > Accounts**.
+2. Select **Access work or school** and then click **Connect** in the **Connect to work or school** page.
+3. In the **Set up a work or school account** window, click **Join this device to Azure Active Directory** to add an Azure AD account to the device.
+
+  **Figure 41** - Add an Azure AD account to the device
+
+  ![Add an Azure AD account to the device](images/win10_add_new_user_join_aad.png)
+
+4. In the **Let's get you signed in** window, enter the work credentials for the account and then click **Sign in** to authenticate the user.
+
+  **Figure 42** - Enter the account details
+
+  ![Enter the account details](images/win10_add_new_user_account_aadwork.png)
+
+5. You will be asked to update the password so enter a new password.
+6. Verify the details to make sure you're connecting to the right organization and then click **Join**.
+
+  **Figure 43** - Make sure this is your organization
+
+  ![Make sure this is your organization](images/win10_confirm_organization_details.png)
+
+7. You will see a confirmation window that says the device is now connected to your organization. Click **Done**.
+
+  **Figure 44** - Confirmation that the device is now connected
+
+  ![Confirmation that the device is now connected](images/win10_confirm_device_connected_to_org.png)
+
+8. The **Connect to work or school** window will refresh and will now include an entry that shows you're connected to your organization's Azure AD. This means the device is now registered in Azure AD and enrolled in MDM and the account should have access to the organization's resources.
+
+  **Figure 45** - Device is now enrolled in Azure AD
+
+  ![Device is enrolled in Azure AD](images/win10_device_enrolled_in_aad.png)
+
+9. You can confirm that the new device and user are showing up as Intune-managed by going to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a> and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later.
+
+### 4.2 Add a new user
+You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Microsoft Intune.
+
+See [Add users to Office 365](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc?ui=en-US&rs=en-US&ad=US&fromAR=1) to learn more. Once you're done adding new users, go to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a> and verify that the same users were added to the Intune groups as well.
+
+## Get more info
+
+### For IT admins
+To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links:
+- <a href="https://support.office.com/en-us/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a>
+- Common admin tasks in Office 365 including email and OneDrive in <a href="https://support.office.com/en-us/article/Common-management-tasks-for-Office-365-46c667f7-5073-47b9-a75f-05a60cf77d91" target="_blank">Manage Office 365</a>
+- More info about managing devices, apps, data, troubleshooting, and more in <a href="https://docs.microsoft.com/en-us/intune/" target="_blank">Intune documentation</a>
+- Learn more about Windows 10 in <a href="http://technet.microsoft.com/windows/windows10.aspx" target="_blank">Windows 10 guide for IT pros</a>
+- Info about distributing apps to your employees, managing apps, managing settings, and more in <a href="https://technet.microsoft.com/en-us/itpro/windows/manage/windows-store-for-business" target="_blank">Windows Store for Business</a>
+
+### For information workers
+Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info:
+- <a href="https://support.office.com/" target="_blank">Office help and training</a>
+- <a href="https://support.microsoft.com/en-us/products/windows?os=windows-10" target="_blank">Windows 10 help</a>
+
+## Related topics
+
+- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index)

smb/index.md

@@ -1,4 +1,47 @@
 ---
-title: SMB placeholder
-description: SMB placeholder
+title: Windows 10 for small to midsize businesses
+description: Microsoft products and devices to transform and grow your businessLearn how to use Windows 10 for your small to midsize business.
+keywords: Windows 10, SMB, small business, midsize business, business
+ms.prod: w10
+ms.technology: smb-windows
+ms.topic: article
+ms.author: celested
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.lang: EN 
+ms.loc: US 
+ms.pagetype: smb
+author: CelesteDG
 ---
+
+![Windows 10 for SMB](images/smb_portal_banner.png)
+
+# Windows 10 for SMB
+<link rel="stylesheet" href="https://az835927.vo.msecnd.net/sites/uwp/Resources/css/custom.css">
+
+## ![Learn more about Windows and other resources for SMBs](images/learn.png) Learn
+
+<div class="side-by-side"> <div class="side-by-side-content">
+<div class="side-by-side-content-left">
+<p><b><a href="https://business.microsoft.com/en-us/products/windows" target="_blank">Windows 10 for business</a></b><br />Learn how Windows 10 and Windows devices can help your business.</p>
+<p><b><a href="https://blogs.business.microsoft.com/" target="_blank">SMB blog</a></b><br />Read about the latest stories, technology insights, and business strategies for SMBs.</p>
+</div>
+<div class="side-by-side-content-right">
+<p><b><a href="https://business.microsoft.com/en-us/products" target="_blank">How to buy</a></b><br />Go here when you're ready to buy or want to learn more about Microsoft products you can use to help transform your business.</p>
+</div>
+</div>
+
+## ![Deploy a Microsoft solution for your business](images/deploy.png) Deploy
+
+<div class="side-by-side"> <div class="side-by-side-content">
+<div class="side-by-side-content-left">
+<p><b>[Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md)</b><br />Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.</p>
+</div>
+<div class="side-by-side-content-right">
+<p></p>
+</div>
+</div>
+
+ ## Related topics
+
+- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index)

windows/deploy/TOC.md

@@ -51,6 +51,7 @@
 ## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
 ## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
 ## [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md)
+## [Convert MBR partition to GPT](mbr-to-gpt.md)
 ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
 ## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
 ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)

windows/deploy/change-history-for-deploy-windows-10.md

@@ -11,6 +11,11 @@ author: greg-lindsay
 # Change history for Deploy Windows 10
 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+## March 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Convert MBR partition to GPT](mbr-to-gpt.md) | New | 
+
 ## February 2017
 | New or changed topic | Description |
 |----------------------|-------------|

windows/deploy/index.md

@@ -24,6 +24,7 @@ Learn about deploying Windows 10 for IT professionals.
 |[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
 |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
 |[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
+|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
 |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
 | [Provisioning packages for Windows 10](provisioning-packages.md) | Learn how to use the Windows Imaging and Configuration Designer (ICD) and provisioning packages to easily configure multiple devices. |

windows/deploy/mbr-to-gpt.md

@@ -0,0 +1,384 @@
+---
+title: MBR2GPT
+description: How to use the MBR2GPT tool to convert MBR partitions to GPT
+keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+localizationpriority: high
+---
+
+# MBR2GPT.EXE
+
+**Applies to**
+-   Windows 10
+
+## Summary
+
+**MBR2GPT.EXE** converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
+
+You can use MBR2GPT to perform the following:
+
+- \[Within the Windows PE environment\]: Convert any attached MBR-formatted disk to GPT, including the system disk.
+- \[From within the currently running OS\]: Convert any attached MBR-formatted disk to GPT, including the system disk.
+
+>MBR2GPT is available in Windows 10 version 1703, also known as Windows 10 Creator's Update, and later versions. 
+>The tool is available in both the full OS environment and Windows PE. 
+
+You can use MBR2GPT to convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them.
+
+The MBR2GPT tool can convert operating system disks that have earlier versions of Windows installed, such as Windows 10 versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
+
+>[!IMPORTANT]
+>After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode. <BR>Make sure that your device supports UEFI before attempting to convert the disk.
+
+## Syntax
+
+<table style="font-family:consolas;font-size:12px" >
+<TR><TD>MBR2GPT /validate|convert [/disk:\<diskNumber\>] [/logs:\<logDirectory\>] [/map:\<source\>=\<destination\>] [/allowFullOS]
+</TABLE>
+
+### Options
+
+| Option | Description |
+|----|-------------|
+|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. |
+|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. |
+|/disk:\<diskNumber\>| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
+|/logs:\<logDirectory\>| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
+|/map:\<source\>=\<destination\>| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexidecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
+|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.|
+
+## Examples
+
+### Validation example
+
+In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**.
+
+```
+X:\>mbr2gpt /validate /disk:0
+MBR2GPT: Attempting to validate disk 0
+MBR2GPT: Retrieving layout of disk
+MBR2GPT: Validating layout, disk sector size is: 512
+MBR2GPT: Validation completed successfully
+```
+
+### Conversion example
+
+In the following example:
+
+1. The current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
+2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. 
+2. The MBR2GPT tool is used to convert disk 0.
+3. The DISKPART tool displays that disk 0 is now using the GPT format.
+4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
+5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. 
+
+>As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
+
+```
+DISKPART> list volume
+
+  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
+  ----------  ---  -----------  -----  ----------  -------  ---------  --------
+  Volume 0     F   CENA_X64FRE  UDF    DVD-ROM     4027 MB  Healthy
+  Volume 1     C   System Rese  NTFS   Partition    499 MB  Healthy
+  Volume 2     D   Windows      NTFS   Partition     58 GB  Healthy
+  Volume 3     E   Recovery     NTFS   Partition    612 MB  Healthy    Hidden
+
+DISKPART> select volume 2
+
+Volume 2 is the selected volume.
+
+DISKPART> list partition
+
+  Partition ###  Type              Size     Offset
+  -------------  ----------------  -------  -------
+  Partition 1    Primary            499 MB  1024 KB
+* Partition 2    Primary             58 GB   500 MB
+  Partition 3    Recovery           612 MB    59 GB
+
+DISKPART> detail partition
+
+Partition 2
+Type  : 07
+Hidden: No
+Active: No
+Offset in Bytes: 524288000
+
+  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
+  ----------  ---  -----------  -----  ----------  -------  ---------  --------
+* Volume 2     D   Windows      NTFS   Partition     58 GB  Healthy
+
+DISKPART> exit
+
+Leaving DiskPart...
+
+X:\>mbr2gpt /convert /disk:0
+
+MBR2GPT will now attempt to convert disk 0.
+If conversion is successful the disk can only be booted in GPT mode.
+These changes cannot be undone!
+
+MBR2GPT: Attempting to convert disk 0
+MBR2GPT: Retrieving layout of disk
+MBR2GPT: Validating layout, disk sector size is: 512 bytes
+MBR2GPT: Trying to shrink the system partition
+MBR2GPT: Trying to shrink the OS partition
+MBR2GPT: Creating the EFI system partition
+MBR2GPT: Installing the new boot files
+MBR2GPT: Performing the layout conversion
+MBR2GPT: Migrating default boot entry
+MBR2GPT: Adding recovery boot entry
+MBR2GPT: Fixing drive letter mapping
+MBR2GPT: Conversion completed successfully
+MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode!
+
+X:\>diskpart
+
+Microsoft DiskPart version 10.0.15048.0
+
+Copyright (C) Microsoft Corporation.
+On computer: MININT-K71F13N
+
+DISKPART> list disk
+
+  Disk ###  Status         Size     Free     Dyn  Gpt
+  --------  -------------  -------  -------  ---  ---
+  Disk 0    Online           60 GB      0 B        *
+
+DISKPART> select disk 0
+
+Disk 0 is now the selected disk.
+
+DISKPART> list volume
+
+  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
+  ----------  ---  -----------  -----  ----------  -------  ---------  --------
+  Volume 0     F   CENA_X64FRE  UDF    DVD-ROM     4027 MB  Healthy
+  Volume 1     D   Windows      NTFS   Partition     58 GB  Healthy
+  Volume 2     C   System Rese  NTFS   Partition    499 MB  Healthy    Hidden
+  Volume 3                      FAT32  Partition    100 MB  Healthy    Hidden
+  Volume 4     E   Recovery     NTFS   Partition    612 MB  Healthy    Hidden
+
+DISKPART> select volume 1
+
+Volume 1 is the selected volume.
+
+DISKPART> list partition
+
+  Partition ###  Type              Size     Offset
+  -------------  ----------------  -------  -------
+  Partition 1    Recovery           499 MB  1024 KB
+* Partition 2    Primary             58 GB   500 MB
+  Partition 4    System             100 MB    59 GB
+  Partition 3    Recovery           612 MB    59 GB
+
+DISKPART> detail partition
+
+Partition 2
+Type    : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
+Hidden  : No
+Required: No
+Attrib  : 0000000000000000
+Offset in Bytes: 524288000
+
+  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
+  ----------  ---  -----------  -----  ----------  -------  ---------  --------
+* Volume 1     D   Windows      NTFS   Partition     58 GB  Healthy
+
+```
+
+## Specifications
+
+### Disk conversion workflow
+
+The following steps illustrate high-level phases of the MBR-to-GPT conversion process:
+
+1. Disk validation is performed.
+2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist.
+3. UEFI boot files are installed to the ESP.
+4. GPT metatdata and layout information is applied.
+5. The boot configuration data (BCD) store is updated.
+6. Drive letter assignments are restored.
+
+### Disk validation
+
+Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that:
+- The disk is currently using MBR
+- There is enough space not occupied by partitions to store the primary and secondary GPTs:
+  - 16KB + 2 sectors at the front of the disk
+  - 16KB + 1 sector at the end of the disk
+- There are at most 3 primary partitions in the MBR partition table
+- One of the partitions is set as active and is the system partition
+- The BCD store on the system partition contains a default OS entry pointing to an OS partition
+- The volume IDs can retrieved for each volume which has a drive letter assigned
+- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
+
+If any of these checks fails, the conversion will not proceed and an error will be returned.
+
+### Creating an EFI system partition
+
+For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules:
+
+1. The existing MBR system partition is reused if it meets these requirements:
+  a. It is not also the OS or Windows Recovery Environment partition
+  b. It is at least 100MB (or 260MB for 4K sector size disks) in size
+  c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.
+  d. If the conversion is being performed from the full OS, the disk being converted is not the system disk.
+2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32.
+
+If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified.
+
+### Partition type mapping and partition attributes
+
+Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules:
+
+1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b).
+2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used.
+3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac).
+4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7).
+
+In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set:
+- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001)
+- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000)
+
+For more information about partition types, see:
+- [GPT partition types](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx)
+- [MBR partition types](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx)
+
+
+###	Persisting drive letter assignments
+
+The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. 
+
+The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following:
+
+1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk.
+2. If found, set the value to be the new unique ID, obtained after the layout conversion.
+3. If the new unique ID cannot be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment.
+
+## Troubleshooting
+
+The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions do not translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs).
+
+### Logs
+
+Four log files are created by the MBR2GPT tool:
+
+- diagerr.xml
+- diagwrn.xml
+- setupact.log
+- setuperr.log
+
+These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. Note: The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory.
+
+The default location for all these log files in Windows PE is **%windir%**.
+
+### Interactive help
+
+To view a list of options available when using the tool, type **mbr2gpt /?** 
+
+The following text is displayed:
+
+```
+
+C:\> mbr2gpt /?
+
+Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk.
+
+MBR2GPT.exe /validate|convert [/disk:<diskNumber>] [/logs:<logDirectory>] [/map:<source>=<destination>] [/allowFullOS]
+
+Where:
+
+ /validate
+         - Validates that the selected disk can be converted
+           without performing the actual conversion.
+
+ /convert
+         - Validates that the selected disk can be converted
+           and performs the actual conversion.
+
+ /disk:<diskNumber>
+         - Specifies the disk number of the disk to be processed.
+           If not specified, the system disk is processed.
+
+ /logs:<logDirectory>
+         - Specifies the directory for logging. By default logs
+           are created in the %windir% directory.
+
+ /map:<source>=<destination>
+         - Specifies the GPT partition type to be used for a
+           given MBR partition type not recognized by Windows.
+           Multiple /map switches are allowed.
+
+ /allowFullOS
+         - Allows the tool to be used from the full Windows
+           environment. By default, this tool can only be used
+           from the Windows Preinstallation Environment.
+
+```
+
+### Return codes
+
+MBR2GPT has the following associated return codes:
+
+| Return code | Description |
+|----|-------------|
+|0| Conversion completed successfully.|
+|1| Conversion was canceled by the user.|
+|2| Conversion failed due to an internal error.|
+|3| Conversion failed due to an initialization error.|
+|4| Conversion failed due to invalid command-line parameters. |
+|5| Conversion failed due to error reading the geometry and layout of the selected disk.|
+|6| Conversion failed because one or more volumes on the disk is encrypted.|
+|7| Conversion failed because the geometry and layout of the selected disk do not meet requirements.|
+|8| Conversion failed due to error while creating the EFI system partition.|
+|9| Conversion failed due to error installing boot files.|
+|10| Conversion failed due to error while applying GPT layout.|
+|100| Conversion to GPT layout succeeded, but some boot configuration data entries could not be restored.|
+
+
+### Determining the partition type
+
+You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown:
+
+
+```
+PS C:\> Get-Disk | ft -Auto
+
+Number Friendly Name      Serial Number        HealthStatus OperationalStatus Total Size Partition Style
+------ -------------      -------------        ------------ ----------------- ---------- ---------------
+0      MTFDDAK256MAM-1K1  13050928F47C         Healthy      Online             238.47 GB MBR
+1      ST1000DM003-1ER162 Z4Y3GD8F             Healthy      Online             931.51 GB GPT
+```
+
+You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example:
+
+![Volumes](images/mbr2gpt-volume.PNG)
+
+
+If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the diskpart tool. To determine the partition style, type **diskpart** and then type **list disk**. See the following example:
+
+```
+DISKPART> list disk
+
+  Disk ###  Status         Size     Free     Dyn  Gpt
+  --------  -------------  -------  -------  ---  ---
+  Disk 0    Online          238 GB      0 B
+  Disk 1    Online          931 GB      0 B        *
+```
+
+In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT.
+
+
+
+
+## Related topics
+
+[Using MBR2GPT with Configuration Manager OSD](https://miketerrill.net/tag/mbr2gpt/)
+<BR>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
+<BR>[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+<BR>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)

windows/keep-secure/code/example.ps1

@@ -0,0 +1,52 @@
+$tenantId = '{Your Tenant ID}'
+$clientId = '{Your Client ID}'
+$clientSecret = '{Your Client Secret}'
+
+$authUrl = "https://login.windows.net/{0}/oauth2/token" -f $tenantId
+
+$tokenPayload = @{
+    "resource"='https://graph.windows.net'
+    "client_id" = $clientId
+    "client_secret" = $clientSecret
+    "grant_type"='client_credentials'}
+
+$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
+$token = $response.access_token
+
+$headers = @{
+    "Content-Type"="application/json"
+    "Accept"="application/json"
+    "Authorization"="Bearer {0}" -f $token }
+
+$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
+
+$alertDefinitions =
+    (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
+
+$alertDefinitionPayload = @{
+    "Name"= "The Alert's Name"
+    "Severity"= "Low"
+    "InternalDescription"= "An internal description of the Alert"
+    "Title"= "The Title"
+    "UxDescription"= "Description of the alerts"
+    "RecommendedAction"= "The alert's recommended action"
+    "Category"= "Trojan"
+    "Enabled"= "true"}
+
+$alertDefinition =
+    Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
+        -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
+
+$alertDefinitionId = $alertDefinition.Id
+
+$iocPayload = @{
+    "Type"="Sha1"
+    "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
+    "DetectionFunction"="Equals"
+    "Enabled"="true"
+    "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
+
+
+$ioc =
+    Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
+         -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)

windows/keep-secure/code/example.py

@@ -0,0 +1,53 @@
+import json
+import requests
+from pprint import pprint
+
+tenant_id="{your tenant ID}"
+client_id="{your client ID}"
+client_secret="{your client secret}"
+
+auth_url = "https://login.windows.net/{0}/oauth2/token".format(tenant_id)
+
+payload = {"resource": "https://graph.windows.net",
+           "client_id": client_id,
+           "client_secret": client_secret,
+           "grant_type": "client_credentials"}
+
+response = requests.post(auth_url, payload)
+token = json.loads(response.text)["access_token"]
+
+with requests.Session() as session:
+    session.headers = {
+        'Authorization': 'Bearer {}'.format(token),
+        'Content-Type': 'application/json',
+        'Accept': 'application/json'}
+
+    response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
+    pprint(json.loads(response.text))
+
+    alert_definition = {"Name": "The alert's name",
+                        "Severity": "Low",
+                        "InternalDescription": "An internal description of the alert",
+                        "Title": "The Title",
+                        "UxDescription": "Description of the alerts",
+                        "RecommendedAction": "The alert's recommended action",
+                        "Category": "Trojan",
+                        "Enabled": True}
+
+    response = session.post(
+        "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
+        json=alert_definition)
+
+    alert_definition_id = json.loads(response.text)["Id"]
+
+    ioc = {'Type': "Sha1",
+           'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
+           'DetectionFunction': "Equals",
+           'Enabled': True,
+           "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
+
+    response = session.post(
+        "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
+        json=ioc)
+
+    pprint(json.loads(response.text))

windows/keep-secure/credential-guard.md

@@ -40,12 +40,10 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-
 
 ## Requirements
 
-For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations).
+For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations).
 
 ### Hardware and software requirements
 
-To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. 
-
 To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses:
 - Support for Virtualization-based security (required)
 - TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
@@ -82,14 +80,15 @@ Applications may cause performance issues when they attempt to hook the isolated
 
 ### Security considerations
 
-The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
+All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard. 
+Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.  
+The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
 
 > [!NOTE]  
-> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. This requirement is not restated in the tables that follow.<br>
-> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).<br>
-> Starting in Widows 10, 1607, TPM 2.0 is required.
+> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. <br>
+> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).<br>
 
-#### Baseline protection recommendations
+#### Baseline protections
 
 |Baseline Protections                   | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
@@ -101,9 +100,9 @@ The following tables provide more information about the hardware, firmware, and
 | Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
 
 > [!IMPORTANT]
-> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security to significantly strengthen the level of security that Credential Guard can provide.
+> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide.
 
-#### 2015 Additional Security Recommendations (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
+#### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
 
 | Protections for Improved Security          | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
@@ -113,10 +112,10 @@ The following tables provide more information about the hardware, firmware, and
 
 <br>
 
-#### 2016 Additional Security Recommendations (starting with Windows 10, version 1607, and Windows Server 2016)
+#### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
 
 > [!IMPORTANT]
-> The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Credential Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
+> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections.
 
 | Protections for Improved Security         | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
@@ -126,9 +125,9 @@ The following tables provide more information about the hardware, firmware, and
 
 <br>
 
-#### 2017 Additional security requirements starting with Windows 10, version 1703 
+#### 2017 Additional security qualifications starting with Windows 10, version 1703 
 
-The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements. 
+The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. 
 
 | Protection for Improved Security          | Description                                        |
 |---------------------------------------------|----------------------------------------------------|

windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md

@@ -347,11 +347,13 @@ These parameters are compatible with the [OData V4 query language](http://docs.o
 
 ## Code examples
 The following articles provide detailed code examples that demonstrate how to use the custom threat intelligence API in several programming languages:
-- PowerShell code examples
-- Python code examples
+- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
 
 
 ## Related topics
-- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
 - [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)

windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md

@@ -40,6 +40,8 @@ Before you can create custom threat intelligence (TI) using REST API, you'll nee
 You’ll need to use the access token in the Authorization header when doing REST API calls.
 
 ## Related topics
-- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-- [Create custom threat intelligence](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
 - [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)

windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md

@@ -50,10 +50,10 @@ This status indicates that there's limited communication between the machine and
 
 The following suggested actions can help fix issues related to a misconfigured machine with impaired communication:
 
-- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)
+- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br>
   The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
 
-- Verify client connectivity to Windows Defender ATP service URLs</br>
+- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)</br>
   Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
 
 If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
@@ -62,16 +62,16 @@ If you took corrective actions and the machine status is still misconfigured, [o
 A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report partial sensor data.
 Follow theses actions to correct known issues related to a misconfigured machine with status ‘Impaired communication’:
 
-- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)
+- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br>
   The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
 
-- Verify client connectivity to Windows Defender ATP service URLs</br>
+- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)</br>
   Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
 
-- [Ensure the telemetry and diagnostics service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled)
+- [Ensure the telemetry and diagnostics service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled)</br>
 If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint.
 
-- [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy)
+- [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy)</br>
 If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled.
 
 If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).

windows/keep-secure/hello-identity-verification.md

@@ -72,7 +72,7 @@ Imagine that someone is looking over your shoulder as you get money from an ATM
 
 Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
 
-For customers using a hybrid Active Directory and Azure Active Directorye environment, Windows Hello also enables Windows 10 Mobile devices to be used as [a remote credential](hello-prepare-people-to-use.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Windows Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Windows Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
+For customers using a hybrid Active Directory and Azure Active Directory environment, Windows Hello also enables Windows 10 Mobile devices to be used as [a remote credential](hello-prepare-people-to-use.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Windows Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Windows Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
 
 > [!NOTE]
 >  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.