diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index d34abc564c..e06f28392e 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -1,6 +1,6 @@
{
"build_entry_point": "",
- "need_generate_pdf": true,
+ "need_generate_pdf": false,
"need_generate_intellisense": false,
"docsets_to_publish": [
{
diff --git a/windows/deploy/activate-using-active-directory-based-activation-client.md b/windows/deploy/activate-using-active-directory-based-activation-client.md
index a3dce6ef96..82c95ff35b 100644
--- a/windows/deploy/activate-using-active-directory-based-activation-client.md
+++ b/windows/deploy/activate-using-active-directory-based-activation-client.md
@@ -91,7 +91,7 @@ To verify your Active Directory-based activation configuration, complete the fol
6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
**Note**
- If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmrg.vbs /dlv** command also indicates whether KMS has been used.
+ If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index d31167eaf6..5e20aa7fff 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -100,11 +100,13 @@ The following tables describes additional hardware and firmware requirements, an
## Manage Credential Guard
-Credential Guard uses virtualization-based security features that must be enabled on each PC before you can use it.
+### Enable Credential Guard
+Credential Guard can be enabled by using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool.
-### Turn on Credential Guard by using Group Policy
+#### Turn on Credential Guard by using Group Policy
+
+You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed.
-You can use Group Policy to enable Credential Guard because it will add the virtualization-based security features for you.
1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**.
2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
@@ -114,43 +116,46 @@ You can use Group Policy to enable Credential Guard because it will add the virt
5. Close the Group Policy Management Console.
-### Add Credential Guard to an image
+To enforce processing of the group policy, you can run ```gpupdate /force```.
-If you would like to add Credential Guard to an image, you can do this by adding the virtualization-based security features and then turning on Credential Guard.
+#### Turn on Credential Guard by using the registry
-### Add the virtualization-based security features
+If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
-First, you must add the virtualization-based security features. You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
+##### Add the virtualization-based security features
+
+Starting with Windows 10 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
+
+If you are using Windows 10 1507 (RTM) or Windows 10 1511, Windows features have to be enabled to use virtualization-based security.
+You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
> [!NOTE]
> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
+
**Add the virtualization-based security features by using Programs and Features**
+
1. Open the Programs and Features control panel.
2. Click **Turn Windows feature on or off**.
3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
-4. Click **OK**.
+4. Select the **Isolated User Mode** check box at the top level of the feature selection.
+5. Click **OK**.
**Add the virtualization-based security features to an offline image by using DISM**
+
1. Open an elevated command prompt.
2. Add the Hyper-V Hypervisor by running the following command:
``` syntax
dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
```
+3. Add the Isolated User Mode feature by running the following command:
+ ``` syntax
+ dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
+ ```
> [!NOTE]
> You can also add these features to an online image by using either DISM or Configuration Manager.
-
-In Windows 10, version 1607 and Windows Server 2016, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode:
-
-``` syntax
-dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
-```
-### Turn on Credential Guard
-
-If you don't use Group Policy, you can enable Credential Guard by using the registry.
-
-**Turn on Credential Guard by using the registry**
+##### Enable virtualization-based security and Credential Guard
1. Open Registry Editor.
2. Enable virtualization-based security:
@@ -166,14 +171,29 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi
> [!NOTE]
> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
-**Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool**
+#### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot
```
-
+
+#### Credential Guard deployment in virtual machines
+
+Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine.
+
+Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine:
+
+``` PowerShell
+Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
+```
+
+Requirements for running Credential Guard in Hyper-V virtual machines
+- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
+- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
+
+
### Remove Credential Guard
If you have to remove Credential Guard on a PC, you need to do the following:
diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 6bffe0f171..c6e5606348 100644
--- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -73,7 +73,7 @@ See the following table for a summary of the management settings for Windows 10
| [14. OneDrive](#bkmk-onedrive) | |  | |  | |
| [15. Preinstalled apps](#bkmk-preinstalledapps) |  | | | |  |
| [16. Settings > Privacy](#bkmk-settingssection) | | | | | |
-| [16.1 General](#bkmk-priv-general) |  |  |  |  | |
+| [16.1 General](#bkmk-general) |  |  |  |  | |
| [16.2 Location](#bkmk-priv-location) |  |  |  | | |
| [16.3 Camera](#bkmk-priv-camera) |  |  |  | | |
| [16.4 Microphone](#bkmk-priv-microphone) |  |  | | | |
@@ -119,7 +119,7 @@ See the following table for a summary of the management settings for Windows Ser
| [12. Network Connection Status Indicator](#bkmk-ncsi) | |  | | |
| [14. OneDrive](#bkmk-onedrive) | |  | | |
| [16. Settings > Privacy](#bkmk-settingssection) | | | | |
-| [16.1 General](#bkmk-priv-general) |  |  |  | |
+| [16.1 General](#bkmk-general) |  |  |  | |
| [17. Software Protection Platform](#bkmk-spp) | |  | | |
| [19. Teredo](#bkmk-teredo) | |  | |  |
| [21. Windows Defender](#bkmk-defender) | |  |  | |
diff --git a/windows/manage/waas-manage-updates-configuration-manager.md b/windows/manage/waas-manage-updates-configuration-manager.md
index af90f73616..1333b461a4 100644
--- a/windows/manage/waas-manage-updates-configuration-manager.md
+++ b/windows/manage/waas-manage-updates-configuration-manager.md
@@ -381,7 +381,9 @@ or Manage Windows 10 updates using System Center Configuration Manager (this top
+## See also
+[Manage Windows as a service using System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service)